IT Examination Toolkit

Guide to FFIEC IT Examination Handbook:
Information Security
Acknowledgments:
The production of this book, Guide to FFIEC IT Examination Handbook: Information Security,
involved a significant joint effort on the part of Landy Dutton, Summit Bank and all of the bankers
on the ABA Cyber and Information Security Working Group. We would also like to acknowledge the author:
Denyette DePierro, Vice President & Senior Counsel, Payments & Cyberecurity, American Bankers Association.
Find additional guides, policy issue and emerging technologies resources that support the delivery
of high-quality, secure payments services at your institution at aba.com/paymentsandcyber.
About the American Bankers Association

The American Bankers Association is the voice of the nation’s $16 trillion banking industry, which is
composed of small, regional and large banks that together employ more than 2 million people, safeguard
$12 trillion in deposits and extend more than $8 trillion in loans.
© 2017 American Bankers Association, Washington, D.C.
This publication was paid for in part with the dues of ABA member financial institutions and
is intended solely for their use.
This publication is designed to provide accurate information on the subject addressed and is published for
educational reference only. It is provided with the understanding that neither the authors, contributors nor the
publisher is engaged in rendering legal, accounting, or other expert or professional services. If legal or other
expert assistance is required, the services of a competent professional should be sought. This guide in no
way intends or effectuates a restraint of trade or other illegal concerted action.
American Bankers Association® and the stylized “ab” design logo® are registered trademarks/service
marks of the ABA and no endorsement, sponsorship, or affiliation is implied by their use in this publication.
Guide to FFIEC IT Handbook: Information Security
Table of Contents
Section Page
Summary:
1
Significant Revisions to 2016 FFIEC IT Information Security Booklet: 2006 v. 2016
How to Use This Summary 2
Summary Checklist 3
Index: Third Parties 7
Exam Tool: Review of Exam Procedure and Bank Response 8
Objective 1:
8
Determine the appropriate scope and objectives for the examination.
Objective 2:
11
Management and effective governance
Objective 3:
16
Management of business lines and support functions, and third-party service provider
Objective 4:
17
Risk identification
Objective 5:
20
Mitigating controls
Objective 6:
21
Implementation of controls
Objective 7:
54
Risk monitoring and reporting processes
Objective 8:
56
Security operations
Objective 9:
63
Information security
Objective 10:
63
Assurance activities
Objective 11:
66
Discuss correction action and communicate findings
ABA – Summary IT Booklet | 1
Summary: Significant Revisions to

2016 FFIEC IT Information Security
Booklet: 2006 v. 2016
1) This booklet addresses those aspects of governance and risk management specific
to information security. IT governance and risk management generally is addressed in
the IT Handbook’s “Management” and “Outsourcing Technology Services” booklets.
2) No tiered examination procedures. 2006 booklet had a two-tiered examination
procedures to provide additional verification procedures to assist the identification of
root causes of suspected security weakness. 2016 has singular, uniform examination
procedures for all institutions.
3) Focus on risk management. The 2016 language mirrors the Dodd-Frank Act and
NIST focus on risk management, identification, and mitigation commiserate with size,
risk, priority, and resources.
4) New sections:
a. Security Culture (p. 3)
b. Resources (p. 5)
c. Risk Identification (p. 7)
d. Supervision of Cybersecurity (p. 9)
e. Risk Measurement (p. 10)
f. Inventory and Classification of Assets (p. 14)
g. Mitigating Interconnectivity Risk (p. 14)
h. Segregation of Duties (p. 16)
i. End-of-Life Management (p. 25)
j. Rogue or Shadow IT (p. 29)
k. Supply Chain (p. 29)
l. Consumer Awareness (p. 37)
m. Database Security (p. 40)
n. Outsourced Cloud Computing (p. 43)
o. Assurance Reporting (p. 56)
How to Use This Summary

This summary allows for easy side-by-side comparison of
the FFIEC examiners checklist and corresponding bank
procedures as described in the 2016 FFIEC Information
Security Booklet.
a. Two columns: The summary is separated into two columns. A column on the
left, entitled “Examination Procedures” and a column on the right entitled “Bank
Procedures.”
i. Text in “Examinations Procedures” column (LEFT) is copied from

Appendix A, Examination Procedures, 2016 FFIEC Information Security
Booklet (p. 57-74). These are the instructions given to bank examiners to
follow during your bank exam.
ii. Text in “Bank Procedures” column (RIGHT) is a copy and reformatting of

the informational content in the 2016 FFEIC Information Security Booklet
(p. 1-56) These are the instructions and suggestions for banks to consider
as they are setting up their IT risk management program and preparing for
How to use the 2016 InfoSec Exam Tool
exams.
b. How it works: The examination QUESTIONS in the left column are ANSWERED
by the bank procedure guidance in the right column.
c. Definitions: The summary does not include definitions. If you are unfamiliar with
How to use this Summary
a term, please refer to the glossary in the 2016 FFIEC Information Security Booklet
This summary allows for easy side-by-side comparison of the FFIEC examiners checklist and corresponding bank procedures.
(Appendix B, p. 75-88).
a. Two columns: The summary is separated into two columns. The column on the left, entitled “Examination Procedures” and the column on the right entitled “Bank Procedures.”
i. Text in “Bank Examinations” column (LEFT) is copied from Appendix A, Examination Procedures of the 2016 FFIEC Information Security Booklet (p. 57-74). These
d. Web links. Footnote,
are the andto bank
instructions given internal references
examiners toyour
to follow during other
exam. FFIEC IT Booklets, references
other ii.sections within
Text in “Bank the same
Procedures” column booklet,
(RIGHT) is a and references
copy and reformatting ofto
thecorresponding statute,
bank informational content in the 2016 FFEIC Information Security Booklet (p. 1-56)
These are the instructions and suggestions for banks to consider as they are setting up their risk management program and preparing for exams.
regulation, or supervisory guidance are featured as live web links. Click on the words
inb. blue
How itfont
works:toThe
beexamination
automatically
QUESTIONS taken tocolumn
in the left the relevant
are ANSWERED referenced language.
by the bank procedure guidance in the right column.
c. Definitions: The summary does not include definitions. If you are unfamiliar with a term, please refer to the glossary in the 2016 FFIEC Information Security Booklet (Appendix
e. Page
B, p.numbers.
75-88). Any reference to a page number in the “Bank Procedures” column
refers to the page where the section can be found in the 2016 FFIEC Information
d. Web Links. Footnotes, and internal references to other FFIEC IT Booklets, references other sections within the same booklet, and references to corresponding statute, regulation,
Security Booklet.
or supervisory guidance are featured as live web links. Click on the words in blue font to be automatically taken to the relevant referenced language.
Example:
Page number of section in 2016 FFIEC BANK’S RESPONSE
InfoSec Booklet Re: customer awareness and education
From bank instructions in 2016 FFIEC
InfoSec Booklet
EXAMINER’S QUESTION
Re: customer awareness & education
From Appendix A of 2016 FFIEC
InfoSec Booklet
Web link to FBI Alert referenced in 2016

FFIEC InfoSec Booklet
Summary Checklist:
Governance
ӽӽ Establishing an information security culture that promotes an effective
information security program and the role of all employees in protecting
the institution’s information and systems.
ӽӽ Clearly defining and communicating information security
responsibilities and accountability throughout the institution.
ӽӽ Providing adequate resources to effectively support the information
security program.
Information Security Program Management

ӽӽ Supports the institution’s IT risk management (ITRM) process by
identifying threats, measuring risk, defining information security
requirements, and implementing controls.
ӽӽ Integrates with lines of business and support functions at the level of
decision-making.
ӽӽ Integrates third-party service provider activities with the information
security program.
Risk Management
ӽӽ Develop risk measurement processes that evaluate the inherent risk to
the institution.
Risk Mitigation
ӽӽ Develop and implement appropriate controls to mitigate identified risks.
Inventory and Classification of Assets

ӽӽ Inventory and classify assets, including hardware, software, information,
and connections.
User Security Controls

ӽӽ Establishing and administering security screening in IT hiring practices.
ӽӽ Establishing and administering a user access program for physical and
logical access.
ӽӽ Employing segregation of duties.
ӽӽ Obtaining agreements covering confidentiality, nondisclosure, and
authorized use.
ӽӽ Providing training to support awareness and policy compliance.
Physical Security
ӽӽ Implement appropriate preventive, detective, and corrective controls for
physical security.
Network Controls
ӽӽ Establishing zones (e.g., trusted and untrusted) according to the
risk profile and criticality of assets contained within the zones and
appropriate access requirements within and between each security zone.
ӽӽ Maintaining accurate network diagrams and data flow charts.
ӽӽ Implementing appropriate controls over wired and wireless networks.
Change Management Within the IT Environment

ӽӽ Configuration management of IT systems and applications.
ӽӽ Hardening of systems and applications.
ӽӽ Use of standard builds.
ӽӽ Patch management.
Control of Information
ӽӽ Establish and supervise compliance with policies for storing and
handling information, including:
ӽӽ Storing data on mobile devices and cloud services.
ӽӽ Defining and implementing appropriate controls over the electronic
transmission of information.
ӽӽ Facilitating safe and secure disposal of sensitive information.
ӽӽ Securing physical media in transit.
Logical Security
ӽӽ Assigning users and devices the access required to perform required
functions.
ӽӽ Updating access rights based on personnel or system changes.
ӽӽ Reviewing users’ access rights at an appropriate frequency based on the
risk to the application or system.
ӽӽ Designing appropriate acceptable-use policies and requiring users to
agree to them.
ӽӽ Controlling privileged access.
ӽӽ Changing or disabling default user accounts and passwords.
Customer Remote Access to Financial Services.

ӽӽ Develop and maintain policies and procedures to securely offer and
strengthen the resilience of remote financial services.
ӽӽ Plan for actions that adversely affect the availability of remote banking
services to customers.
ӽӽ Coordinate appropriate responses with the institution’s ISPs and third-
party service providers.
ӽӽ Regularly test the institution’s response plans.
Application Security
ӽӽ Use applications that have been developed following secure development
practices and that meet a prudent level of security.
ӽӽ Develop security control requirements for all applications, whether the
institution acquires or develops them.
ӽӽ Involve Information security personnel in monitoring the application
development process to verify that secure development practices are
followed, security controls are implemented, and information security
needs are met.
Database Security
ӽӽ Implement effective controls for databases and restrict access
appropriately.
Encryption
ӽӽ Management should implement the type and level of encryption
commensurate with the sensitivity of the information.
Business Continuity
ӽӽ Identify personnel who will have critical information security roles
during a disaster, and train personnel in those roles.
ӽӽ Define information security needs for backup sites and alternate
communication networks.
ӽӽ Establish and maintain policies that address the concepts of information
security incident response and resilience, and test information security
incident scenarios.
Security Operations
ӽӽ Broadly scoped to address all ongoing security-related functions.
ӽӽ Guided by defined processes.
ӽӽ Integrated with lines of business and third parties.
ӽӽ Appropriately staffed and supplied with technology for continual
incident detection and response activities.
Threat Identification and Assessment

ӽӽ Identify and assess threats.
ӽӽ Use threat knowledge to drive risk assessment and response.
ӽӽ Design policies to allow immediate and consequential threats to be dealt
with expeditiously.
Incident Identification and Assessment

ӽӽ Identify indicators of compromise.
ӽӽ Analyze the event associated with the indicators.
ӽӽ Classify the event.
ӽӽ Escalate the event consistent with the classification.
ӽӽ Report internally and externally as appropriate.
Assurance and Testing:

ӽӽ Testing and evaluating through self-assessments, tests, and audits with
appropriate coverage, depth, and independence.
ӽӽ Aligning personnel skills and program needs.
ӽӽ Establishing and implementing a reporting process that includes the
assembly and distribution of assurance reports that are timely, complete,
transparent, and relevant to management decisions.
Index: Third Parties

Topic Page in this summary
Remote access by third parties 39
Incident response planning 41
Oversight of third-party service

42
providers
Third parties and third-party
risk management is mentioned Software development by third parties 44
in several sections of the
handbook — not only the Database security 44
section devoted to third-party
oversight. Security operations 52
You can find third parties Threat identification resources 53

mentioned in the following
sections: Indicator analysis 55
Incident response 56
Assurance & testing:

• Independent testing 58
• Penetration testing 60
• Audit 60
Objective 1: Determine the appropriate scope and objectives for the examination..
Examination Procedures Bank Procedures
1. Review past reports for outstanding

issues or previous problems. Consider
the following:
a. Regulatory reports of
examination.
b. Internal and external audit
reports.
c. Independent security tests.
d. Regulatory and audit reports on
service providers.
2. Review management’s response to

issues raised at, or since, the last
examination. Consider the following:
a. Adequacy and timing of
corrective action.
b. Resolution of root causes rather
than just specific issues.
c. Existence of any outstanding
issues.
3. Interview management and review

responses to pre-examination
information requests to identify
changes to the technology
infrastructure or new products
and services that might increase
the institution’s risk. Consider the
following:
a. Products or services delivered to
either internal or external users.
b. Network topology or
diagram including changes to
configuration or components
and all internal and external
connections.
c. Hardware and software
inventories.
d. Loss, addition, or change in duties
of key personnel.
e. Technology service providers and
software vendor listings.
f. Communication lines with other
business units (e.g., loan review,
credit risk management, line of
business quality assurance, and
internal audit).
g. Credit or operating losses
primarily attributable (or thought
to be attributable) to IT (e.g.,
system problems, fraud occurring
due to poor controls, and
improperly implemented changes
to systems).
h. Changes to internal business
processes.
i. Internal reorganizations.
4. Determine the complexity of the

institution’s information security
environment.
a. Determine the degree of
reliance on service providers
for information processing and
technology support, including
security operation management.
b. Identify unique products and
services and any required third-
party access requirements.
c. Determine the extent of network
connectivity internally and
externally and the boundaries and
functions of security domains.
d. Identify the systems that have
recently undergone significant
change, such as new hardware,
software, configuration, and
connectivity. Correlate the
changed systems with the business
processes they support, the extent
of customer data available to
those processes, and the effect
of those changes on institution
operations.
Objective 2: Determine whether management promotes effective governance of the information security program through a
strong information security culture, defined information security responsibilities and accountability, and adequate resources to
support the program.
1. Determine whether the institution I.A. Security Culture (p. 3). The board and management should:
has a culture that contributes to 1. Understand and support information security;
the effectiveness of the information 2. Provide appropriate resources for developing, implementing, and
security program.
maintaining the information security program; and
a. Determine whether the 3. Foster an information security program in which management and
institution’s board and employees are committed to integrating the program into the institution’s
management understand and lines of business, support functions and third-party management program.
support information security and
Indictors of Mature InfoSec culture:
provide appropriate resources for
the implementation of an effective 1. Integration of new initiatives. A stronger security culture generally
security program. integrates information security into new initiatives from the outset, and
b. Determine whether the throughout the life cycle of services and applications.
information security program is 2. Employee accountability for compliance. Management and employees are
integrated with the institution’s accountable for complying with the information security program.
lines of business, support
functions, and management of
third parties.
c. Review for indicators of an
effective information security
culture (e.g., method of
introducing new business
initiatives and manner in
which the institution holds
lines of business and employees
accountable for promoting
information security).
2. Determine whether the board, I.B. Responsibility and Accountability (p. 3). The board, or designated board
or a committee of the board, is committee, should be responsible for:
responsible for overseeing the 1. Overseeing the development, implementation, and maintenance of the
development, implementation, and institution’s information security program; and
maintenance of the institution’s
2. Holding senior management accountable for its actions.
information security program.
3. Determine whether the board holds I.B. Responsibility and Accountability (p. 3). The board should:
management accountable for the 1. Reasonably understand the business case for information security and the
following: business implications of information security risks;
a. Central oversight and 2. Provide management with direction; approve information security plans,
coordination. policies, and programs;
b. Assignment of responsibility. 3. Review assessments of the information security program’s effectiveness; and
c. Support of the information 4. Discuss management’s recommendations for corrective action, when
security program. appropriate.
d. Effectiveness of the information 5. Provide management with its expectations and requirements.
security program. 6. Hold management accountable for:
a. Central oversight and coordination;
b. Assignment of responsibility; and
c. Effectiveness of the information security program.
4. Determine whether the board Program approval. Board, or designated board committee should:
approves a written information 1. Approve the institution’s written information security program;
security program and receives a 2. Affirm responsibilities for the development, implementation, and
report on the effectiveness of the
maintenance of the program; and
information security program at
least annually. Determine whether 3. Review a report on the overall status of the program at least annually.
the report to the board describes Also see Interagency Guidelines Establishing Information Security Standards
the overall status of the information [summary], section III.A (Dec 2004), requiring approval of the institution’s written
security program and discusses information security program, and oversight of the development, implementation
material matters related to the and maintenance of the program, including assigning specific responsibility for
program such as the following: its implementation and reviewing management reports. 12 C.F.R. Part 30, app. B
a. Risk assessment process, (OCC); 12 C.F.R. Part 208, app. D-2 and Part 225, app. F (Board); 12 C.F.R. Part
including threat identification and 364, app. B (FDIC).
assessment. Management report should:
b. Risk management and control 1. Be provided to the board at least annually.
decisions. 2. Describe:
c. Service provider arrangements. a. Overall status of the program and material matters related to the program
d. Results of security operations b. Risk assessment process, including threat identification and assessment.
activities and summaries of c. Risk management and control decisions, including risk acceptance and
assurance reports. avoidance.
e. Security breaches or violations d. Third-party service provider arrangements.
and management’s responses. e. Results of testing.
f. Recommendations for changes f. Security breaches or violations of law or regulation and management’s
or updates to the information responses to such incidents.
security program. g. Recommendations for updates to the information security program.
3. Show results of:
a. Management assessments and reviews;
b.Internal and external audit activity related to information security;
c. Third-party reviews of the information security program and information
security measures; and
d. Other internal or external reviews designed to assess the adequacy of the
information security program, processes, policies, and controls.
Also see Interagency Guidelines Establishing Information Security Standards, section
III.F, [summary] requiring each financial institution to report to its board or an
appropriate committee of the board at least annually. The report should include a
description of the institution’s compliance with the Information Security Standards
and discuss material matters related to its information security program. 12 C.F.R.
Part 30, app. B (OCC); 12 C.F.R. Part 208, app. D-2 and Part 225, app. F (Board); 12
C.F.R. Part 364, app. B (FDIC).
5. Determine whether management Management Responsibilities

responsibilities are appropriate and
include the following: Management should:
a. Implementation of the 1. Implement the board-approved information security program.
information security program 2. Establish appropriate policies, standards, and procedures to support the
by clearly communicating information security program.
responsibilities and holding 3. Participate in assessing the effect of security threats or incidents on the
appropriate individuals institution and its lines of business and processes.
accountable for carrying out these 4. Delineate clear lines of responsibility and communicate accountability for
responsibilities. information security.
b. Establishment of appropriate 5. Adhere to board-approved risk thresholds relating to information security
policies, standards, and threats or incidents, and cybersecurity.
procedures to support the 6. Oversee risk mitigation activities supporting the information security
information security program. program.
c. Participation in assessing the 7. Implement a risk acceptance process that identifies the risk and when, how,
effect of security threats or to what extent, and who in management accepted the risk associated with
incidents on the institution and its identified vulnerabilities.
business lines and processes. 8. Establish segregation of duties.
d. Delineation of clear lines of 9. Coordinate information and physical security.
responsibility and communication 10. Integrate security controls throughout the institution.
of accountability for information 11. Require that data with similar criticality and sensitivity be protected
security. consistently throughout the institution.
e. Adherence to risk thresholds 12. Establish and monitor the information security responsibilities of third
established by the board relating parties. (See “Oversight of Third-Party Service Providers” section of this
to information security threats or booklet, p. 42)
incidents, including those relating 13. Maintain job descriptions or employment contracts that include specific
to cybersecurity. information security responsibilities.
f. Oversight of risk mitigation 14. Annual employee training.
activities that support the a. Provide information security and awareness training and ongoing
information security program. security-related communications to employees; and
g. Establishment of appropriate b. Ensure employees complete this information security training annually.
segregation of duties.
h. Coordination of both information
and physical security.
i. Integration of security controls
throughout the institution.
j. Protection of data consistently
throughout the institution.
k. Definition of the information
security responsibilities of third
parties.
l. Facilitation of annual information
security and awareness training
and ongoing security-related
communications to employees.
6. Determine whether management has Management of Information Security Officer.

designated one or more individuals 1. Management should designate at least one information security officer
as an information security officer responsible and accountable for implementing and monitoring the
and determine appropriateness of the
reporting line.
2. Management may distribute information security management
responsibilities across various lines of business depending on where the risk
decisions are made and the institution’s size, complexity, culture, nature of
operations, or other factors.
Information security officers should:
1. Report directly to the board or senior management.
2. Have sufficient authority, stature within the organization, knowledge,
background, training, and independence to perform assigned tasks.
3. Be independent of the IT operations staff and not report to IT operations
management to ensure appropriate segregation of duties.
7. Determine whether security officers Information security officers should be responsible for:
and employees know, understand, 1. Responding to security events by ordering emergency actions to protect the
and are accountable for fulfilling institution and its customers from imminent loss of information;
their security responsibilities.
2. Managing the negative effects on the confidentiality, integrity, availability, or
value of information; and
3. Minimizing the disruption or degradation of critical services.
8. Determine the adequacy of audit • Internal auditors should implement a risk-based audit program to ensure
coverage and reporting of the management maintains and the board oversees an effective information
information security program by security program.
reviewing appropriate audit reports • Management should issue appropriate audit reports to the board.
and board or audit committee
minutes. See IT Handbook’s “Audit” booklet.
(For further questions, refer to the
IT Handbook’s “Audit” booklet
examination procedures.)1
9. Review the roles and responsibilities

of all levels of management, including
executive management, CIO or CTO,
CISO, IT line management, and
IT business unit management, to
ensure that there is a clear delineation
between management and oversight
functions and operational duties.
1
See the IT Handbook’s “Audit” booklet examination procedures.
2
See the IT Handbook’s “Management” booklet examination procedures
10. Determine whether the board I.C. Resources (p. 5). Management should provide, and the board should oversee:
provides adequate funding to 1. Funding. Adequate funding to develop, implement and maintain a successful
develop and implement a successful information security program.
information security function. Review
2. Staffing. A successful information security program should be staffed by
whether the institution has the
following: sufficient personnel who have:
a. Skills aligned with the institution’s technical and managerial needs and
a. Appropriate staff with the commensurate with its size, complexity, and risk profile; and
necessary skills to meet the b. Knowledge of technology standards, practices, and risk methodologies.
institution’s technical and 3. Third-party service providers commensurate with the sensitivity and
managerial needs. criticality of the information and business processes supported by the third-
b. Personnel with knowledge of party service provider.
technology standards, practices,
and risk methodologies. See IT Handbook’s “Outsourcing Technology Services” booklet.
c. Training to prepare staff for their
short- and long-term security
responsibilities.
d. Oversight of third parties when
they supplement an institution’s
technical and managerial
capabilities.
11. Determine whether management II. Information Security Program Management (p. 6). Management should:
has adequately incorporated 1. Adopt a robust and effective information security program that supports the
information security into its institution’s IT risk management process.
overall ITRM process. (For further
2. Have an effective information security program, that includes:
questions, refer to the IT Handbook’s
“Management” booklet examination a. Risk identification, measurement, mitigation, monitoring, and reporting.
procedures.) b. Assesses risk through the identification of reasonably foreseeable internal
and external threats that could result in unauthorized disclosure, misuse,
alteration, or destruction of “customer information” or “customer
information systems.” (See Interagency Guidelines on Enhancing
Information Security Standards, section III.B [summary].)
c. Identifies controls for identified risks commensurate with the sensitivity
of the information, and the complexity and scope of the institution’s
activities. (See Interagency Guidelines on Enhancing Information Security,
section III.C.), and
3. Adopt an enumerated list of controls, as appropriate.
See IT Handbook’s “Management” booklet.

Objective 3: Determine whether management of the information security program is appropriate and supports the institution’s
ITRM process, integrates with lines of business and support functions, and integrates third-party service provider activities with
the information security program.
1. Determine whether the institution Management should:

has an effective information security 1. Identify, measure, mitigate, monitor, and report cybersecurity-related risks in
program that supports the ITRM accordance with the information security program and the ITRM process.
process. Review whether the program
2. Have comprehensive assurance and testing processes to determine the overall
includes the following:
effectiveness of the information security program.
a. Identification of threats and risks. 3. Integrate the information security program with the institution’s lines of
b. Measurement of risks. business and support functions.
c. Implementation of risk
mitigation.
d. Monitoring and reporting of risks.
e. Methods to assess the program’s
effectiveness.
2. Determine whether management An integrated information security program provides management the ability to:
appropriately integrates the 1. Assess the likelihood and potential damage to the institution from an
information security program across incident;
the institution’s lines of business and 2. Identify the root cause(s) of the incident; and
support functions. Review whether 3. Implement controls to address identified issues.
management has the following:
a. Security policies, standards, and
procedures that are designed to
support and to align with the
policies in the lines of business.
b. Incident response programs
that include all affected lines of
business and support units.
c. Common awareness and
enforcement mechanisms
between lines of business and
information security.
d. Visibility to assess the likelihood
of threats and potential damage to
the institution.
e. The ability to identify and
implement controls over the root
causes of an incident.
3. If the institution outsources activities Third-Party Management.

to a third-party service provider, 1. A third-party service provider management program should integrate
determine whether management outsourced technology, line-of-business activities, and support functions
integrates those activities with the
with the information security program.
information security program. Verify
that the third-party management 2. Effective integration is evident when an internal information security
program evidences expectations program is created that aligns the combined activities of the institution and
that align with the institution’s its third-party service providers within an acceptable level of risk.
information security program. 3. Service provider arrangements should:
a. Exercise appropriate due diligence in selecting service providers;
b. Require service providers by contract to implement appropriate measures
designed to ensure the security and confidentiality of the institution’s
“customer information;” and
c. Monitor service providers to confirm satisfaction of contractual
obligations, including by reviewing audits, summaries of test results, or
other equivalent evaluations of its service providers, as required by the risk
assessment.
See IT Handbook’s “Outsourcing Technology Services” booklet, and

Information Security Standards, section III.D.
Objective 4: As part of the information security program, determine whether management has established risk identification
processes.
1. Determine whether management II.A. Risk Identification (p. 7). An information security program should have
effectively identifies threats and documented processes to identify threats and vulnerabilities continuously.
vulnerabilities continuously.
II.A.1 Threats (p. 8). Threats:
1. Can be a natural occurrence, technology or physical failure, person with
intent to harm, or who unintentionally causes harm.
2. Information is available from
a. Public sources: news media, blogs, government publications and
announcements, and websites.
b. Private sources: information security vendors, and information-sharing
organizations.
See NIST SP (Special Publication) 800-30, revision 1, “Information Security: Guide
for Conducting Risk Assessments,” September 2012.
2. Determine whether the risk II.A. Risk Identification (p. 7). An information security program should:
identification process produces 1. Identify groupings of threats, including significant cybersecurity threats.
manageable groupings of 2. Use a taxonomy for categorizing threats, sources, and vulnerabilities to
information security threats,
support the risk identification process, and to detect or understand risk
including cybersecurity threats.
Review whether management has the patterns and trends
following:
a. A threat assessment to help focus
the risk identification efforts.
b. A method or taxonomy for
categorizing threats, sources, and
vulnerabilities.
c. A process to determine the
institution’s information security
risk profile.
d. A validation of the risk
identification process through
audits, self-assessments,
penetration tests, and
vulnerability assessments.
e. A validation though audits, self-
assessments, penetration tests,
and vulnerability assessments
that risk decisions are informed
by appropriate identification
and analysis of threats and other
potential causes of loss.
3. Determine whether management has Threat Modeling (p. 8). Institutions should consider using threat modeling to:
a means to collect data on potential 1. Better understand the nature, frequency, and sophistication of threats;
threats to identify information 2. Evaluate the information security risks to the institution; and
security risks. Determine whether
3. Apply this knowledge to the institution’s information security program.
management uses threat modeling
(e.g., development of attack trees) to
assist in identifying and quantifying
risk and in better understanding the
nature, frequency, and sophistication
of threats.
4. Determine whether management has II.A.2 Vulnerabilities (p. 8). Types of vulnerabilities:
continuous, established routines to 1. A technical vulnerability can be a flaw in hardware, firmware, or software
identify and assess vulnerabilities. that leaves an information system open to potential exploitation. These
Determine whether management
flaws provide opportunities for hackers to gain access to a computer system,
has processes to receive
vulnerability information disclosed execute commands as another user, or access data contrary to specified access
by external individuals or groups, restrictions.
such as security or vulnerability 2. A security vulnerability can be a flaw in business operational processes that
researchers. exposes financial institutions to unwarranted risk. These vulnerabilities can
include weaknesses in security procedures, administrative controls, physical
layout, or internal controls that could be exploited to gain unauthorized
access to information or to disrupt critical services.
3. Interdependent and interconnected system vulnerabilities arising from
mergers and acquisitions, relationships with third parties that become
increasingly interdependent and complex over time.
4. Supply chain vulnerability from dependence on an array of hardware and
software products.
To mitigate vulnerabilities, institutions may use:
1. Automated vulnerability scanners to scan computer systems for known
security exposures, and/or
2. Third-party services, such as the Mitre Corporation’s Common Vulnerability
and Exposures (CVE), to track vulnerabilities.
Management should:
1. Assess whether the institution has processes and procedures in place to
identify and maintain a catalogue of relevant vulnerabilities; and
2. Determine which pose a significant risk to the institution, and effectively
mitigate and monitor the risks posed by those vulnerabilities.
3. If management cannot, or chooses not to, mitigate a vulnerability,
management should document:
a. Decision to accept the risk;
b. Level of risk associated with the vulnerability; and
c. Person accountable for accepting the risk.
See “Security Operations” section of this booklet (p. 46)

5. Determine whether management II.A.3 Supervision of Cybersecurity Risk and Resources for Cybersecurity
adjusts the information security Preparedness (p. 9); II.A.3(a) Supervision of Cybersecurity Risk (p. 9)
program for institutional changes
and changes in legislation, regulation, Institutions should consider management of internal and external threats and
regulatory policy, guidance, and vulnerabilities to protect information assets and the supporting infrastructure from
industry practices. Review whether technology-based attacks.
management has processes to do the II.A.3(b) Resources for Cybersecurity Preparedness (p. 9)
following:
a. Maintain awareness of new legal Use of frameworks: Management can select a single framework or use a
and regulatory requirements or combination of resources to help identify its risks and determine its cybersecurity
changes to industry practices. preparedness.
b. Update the information security Resources to help management develop and evaluate information security and
program to reflect changes. cyber resilience:
c. Report changes of the information 1. The voluntary FFIEC Cybersecurity Assessment Tool helps institution boards
security program to the board. and management identify risks to their institutions and evaluate their
institution’s cybersecurity preparedness.
2. NIST Cybersecurity Framework.
3. Common approaches developed by the Mitre Corporation and U.S.
Computer Emergency Readiness Team’s (US-CERT) National Cyber Awareness
System, which responds to major incidents, analyzes threats, and exchanges
critical cybersecurity information with trusted global partners.
Objective 5: Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
1. Determine whether management uses II.B Risk Measurement (p. 10) Management should:
tools to perform threat analysis and 1. Use risk measurement to guide recommendations for, and use of, mitigating
analyzes information security events controls.
to help do the following:
2. Use Threat Analysis Tools to deconstruct an event into stages, better
a. Map threats and vulnerabilities. understand the event, identify the most effective and efficient means of
b. Incorporate legal and regulatory mitigating risk, and improve the information security program. Such tools
requirements. can include:
c. Improve consistency in risk a. Event tree a diagram of a chronological series of events in a system or
measurement. activity that displays sequence progression, end states and dependencies
d. Highlight potential areas for across time;
mitigation. b. Attack tree a diagram showing how an asset, or target, might be attacked
e. Allow comparisons among through various attack scenarios to describe threats on computer systems
different threats, events, and and possible attacks to realize those threats;
potential mitigating controls. c. Kill chain a method for modeling intrusions on a computer network;
d. Other security-related schemata, such as lists of software vulnerabilities
and include the Mitre Corporation’s Common Attack Pattern Enumeration
and Classification, CVE, Common Weakness Enumeration, “ATT&CK
Matrix,” and Malware Attribute Enumeration and Characterization, and
Mandiant’s Open Indicators of Compromise.
3. Consider a Taxonomy for security-related events to:
a. Map threats and vulnerabilities.
b. Incorporate legal and regulatory requirements.
c. Improve consistency in risk measurement.
d. Highlight potential areas for mitigation.
e. Select proper controls to cover various attack stages, channels, and assets.
f. Allow comparisons among different threats, events, and potential
mitigating controls.
See IT Handbook’s “Management” booklet.
Objective 6: Determine whether management effectively implements controls to mitigate identified risk.
1. Determine whether policies, II.C Risk Mitigation (p. 11) should:

standards, and procedures are 1. Include an understanding of the extent and quality of the current control
of sufficient scope and depth to environment.
guide information security-related
2. Consider the system of controls rather than any discrete control when
decisions. Review whether policies,
standards, and procedures have the evaluating the strength of controls, or the ability to mitigate risk.
following characteristics: Management should:
a. Are appropriately implemented 1. Obtain, analyze, and respond to information from various sources on cyber
and enforced. threats and vulnerabilities that may affect the institution, (e.g., Financial
b. Delineate areas of responsibility. Services Information Sharing and Analysis Center [FS-ISAC]).
c. Are communicated in a clear and 2. Incorporate available information on cyber events into the institution’s
understandable manner. information security program.
d. Are reviewed and agreed to by 3. Develop, maintain, and update a repository of cybersecurity threat and
employees. vulnerability information for conducting risk assessments, and providing
e. Are appropriately flexible updates to senior management and the board on cyber risk trends.
to address changes in the II.C.1 Policies, Standards, and Procedures (p. 11)
environment. Information security policies, standards, and procedures should:
1) Define the institution’s control environment through a governance structure
and provide descriptions of required, expected, and prohibited activities.
2) Guide decisions and activities of users, developers, administrators, and
managers and inform those individuals of their information security
responsibilities.
3) Specify the mechanisms through which responsibilities can be met.
4) Provide guidance on acquiring, designing, implementing, configuring,
operating, maintaining, and auditing information systems.
5) Describe the roles of the information security department, lines of business,
and IT organization in administering the information security program.
6) Form the means by which the objectives of the information security program
are achieved.
Key attributes of successful information security policies, standards, and
procedures:
1) Scope that describes the expectations for appropriate actions by affected
parties.
2) Sufficient details to guide behavior.
3) Implementation through ordinary means, such as system administration
procedures and acceptable use policies.
4) Enforcement through security tools and restrictions.
5) Delineation of the areas of responsibility for users, developers,
administrators, and managers.
6) Clear and easily understandable communications to all affected parties.
7) Certification that employees have read and understand the policies.
8) Flexibility to address changes in the environment.
9) Annual board review and approval.
2. Determine whether the information

security policy is annually reviewed
and approved by the board.
3. Determine whether the institution II.C.2 Technology Design (p, 12)

continually assesses the capability
of technology needed to sustain an Management should:
appropriate level of information 1. Understand the benefits and limitations of the technology that the institution
security based on the size, complexity, uses, and whether other types of controls are necessary to compensate for
and risk appetite of the institution. those limitations.
2. Continually assess the capability of the institution’s processes, people, and
technologies to sustain the appropriate level of information security based on
the institution’s risk profile, size, complexity, and risk appetite.
Information security issues arise when:
1. Design of the technology and the policies governing its use do not effectively
defend against identified and unidentified threats;
2. Threats change in ways not envisioned by the designers; and
3. Controls are not operating as intended.
4. Determine whether management

implements an integrated control
system characterized by the use of
different control types that mitigates
identified risks. Review whether
management does the following:
a. Implements a layered control
system using different controls at
different points in a transaction
process.
b. Uses controls of different
classifications, including
preventive, detective, and
corrective.
c. Verifies that compensating
controls are used appropriately to
compensate for weaknesses with
the system or process.
Controls may be categorized according to timing and nature.

A control system should be:
1. Layered. Deploying different controls at different points of a business
process and throughout an IT system so that the strength of one control can
compensate for weaknesses in or possible failure of another control.
2. Integrated. Functioning in an integrated fashion to more effectively mitigate
risk.
3. Compensating. Adjusting for weaknesses within the system or process.
An example of compensating controls would be a review of activity logs
for applications that do not allow proper segregation of duties. Economic
and technical considerations generally affect prevention and detection or
response choices in system design.
5. Determine whether management II.C.4 Control Implementation (p. 12) Management should:
implements controls that 1. Implement controls that align security with the nature of the institution’s
appropriately align security with the operations and strategic direction.
nature of the institution’s operations
2. Implement risk-based controls for managing cybersecurity threats and
and strategic direction. Specifically,
review whether management does the vulnerabilities, such as interconnectivity risk, in light of increasing
following: cybersecurity risks.
3. Review and update the security controls as necessary depending on changes
a. Implements controls based
to the internal and external operating environment, technologies, business
on the institution’s risk
processes, and other factors.
assessment to mitigate risk from
4. Ensure the institution has the necessary resources, personnel training, and
information security threats
testing to maximize the effectiveness of implemented controls.
and vulnerabilities, such as
interconnectivity risk. Controls should include, but may not be limited to:
b. Evaluates whether the institution 1. Patch management;
has the necessary resources, 2. Asset and configuration management;
personnel training, and testing to 3. Vulnerability scanning and penetration testing;
maximize the effectiveness of the 4. End-point security;
controls. 5. Resilience controls;
c. Reviews and improves or updates 6. Logging and monitoring; and
the security controls, where 7. Secure software development (including third-party software development).
necessary.
References: The institution can reference one or more recognized technology

frameworks and industry standards. Several organizations have published control
listings in addition to implementation guidance, including:
1. NIST 800 “Computer Security” publication series. These publications provide
descriptions of some management processes and technical guidance on many
individual controls.
2. Control Objectives for Information and Related Technology (COBIT). COBIT
provides a broad and deep framework for governance and management of
enterprise IT.
3. IT Infrastructure Library (ITIL). ITIL provides a list of recognized practices
for IT service management.
4. International Organization for Standardization (ISO) 27000 series. The ISO
27000 series provides control standards specific to information security. ISO
is an independent, non-governmental, international organization that brings
together experts to share knowledge and develop voluntary, consensus-based,
market-relevant international standards.
5. Industry publications and sources. Management and staff may find these
useful for discrete controls and processes. Some industry publications or
organizations that provide security-related information include the ISACA
Journal, SANS Institute, the Financial Services Roundtable, the Council on
Cybersecurity, and the Open Web Application Security Project.
6. Vendor-provided publications, bulletin boards, and user groups. Vendors
often publish recommendations for securing their products through
publications, bulletin boards, and user groups.
6. Determine whether management II.C.5 Inventory and Classification of Assets (p. 14)
effectively maintains an inventory(ies)
of hardware, software, information, Inventories enable management and staff to:
and connections. Review whether 1. Identify assets, their functions, and which require additional protection,
management does the following: such as those that store, transmit, or process sensitive customer information,
a. Identifies assets that require trade secrets, or other information or assets that could be a target of cyber
protection, such as those that criminals.
store, transmit, or process 2. Comply with federal and state laws and regulations regarding privacy and
sensitive customer information, security of sensitive customer information by knowing what information
or trade secrets. assets the institution has and where they are stored, transmitted, or
b. Classifies assets appropriately. processed.
c. Uses the classification to Classification enables the institution to determine the sensitivity and criticality of
determine the sensitivity and assets.
criticality of assets. 1. Management should:
d. Uses the classification to a. Have policies to govern the inventory and classification of assets both
implement controls required to at inception and throughout their life cycle, and wherever the assets are
safeguard the institution’s assets. stored, transmitted, or processed.
e. Updates the inventory(ies) b. Maintain and keep updated an inventory of technology assets that
appropriately. classifies the sensitivity and criticality of those assets, including hardware,
software, information, and connections.
c. Classify the information according to the appropriate level of protection
needed.
d. Use classification to implement controls required to safeguard the
institution’s physical and information assets.
2. Management can use the inventory to discover specific vulnerabilities, such
as unauthorized software.
3. Examples:
a. Systems containing sensitive customer information may require access
controls based on job responsibilities. These systems should have stronger
controls than systems containing information meant for the general
public.
b. Some institutions classify information as public, non-public, or institution-
confidential, while others use the classifications high, moderate, and low.
c. Additional classifications, such as critical and noncritical, may be helpful
to certain types of institutions.
7. Determine whether management II.C.6 Mitigating Interconnectivity Risk (p. 14)

comprehensively and effectively
identifies, measures, mitigates, Management should:
monitors, and reports 1. Identify connections with third parties, including other financial institutions,
interconnectivity risk. Review financial institution intermediaries, and third-party service providers.
whether management does the 2. Identify all access points and connection types that pose risk, such as local
following: area network (LAN) connections to other networks or Internet service
a. Identifies connections with third providers (ISP), Wi-Fi, and cellular connections.
parties. 3. Identify connections between and access across low-risk and high-risk
b. Identifies access points and systems.
connection types that pose risk. 4. Assess all connections with third parties that provide remote access capability
c. Identifies connections between or control over internal systems.
and access across low-risk and 5. Implement and assess the adequacy of controls to ensure the security of
high-risk systems. connections regardless of criticality or sensitivity.
d. Measures the risk associated with 6. Maintain network and connectivity diagrams and data flow charts to ensure
connections with third parties adequacy of layered controls and to facilitate more timely recovery and
with remote access. restoration of systems when incidents occur.
e. Implements and assesses
the adequacy of appropriate
controls to ensure the security of
connections.
f. Monitors and reports on the
institution’s interconnectivity risk.
8. Determine whether management II.C.7 User Security Controls (p.15). Management should:
effectively mitigates risks posed by 1. Understand the risks to the institution’s information-processing
users. Review whether management environment; and
does the following:
2. Establish appropriate user access controls to mitigate these and other
a. Develops and maintains a culture potential risks to the institution’s assets.
that fosters responsible and 3. Security Screening.
controlled access for users. a. Have a process to verify job application information for all new employees
b. Establishes and effectively when the sensitivity of a particular job or access level may warrant
administers appropriate security additional screening and recurring background and credit checks. See
screening in IT hiring practices. II.C.7(a) Security Screening in Hiring Practices
c. Establishes and appropriately b. Verify that contractors are subject to similar screening procedures.
administers a user access program c. Remain alert to changes in personal circumstances of employees and
for physical and logical access. contractors that could increase incentives for system misuse or fraud.
d. Employs appropriate segregation 4. User Access Program. Develop a user access program to implement and
of duties. administer physical and logical access controls to safeguard the institution’s
e. Obtains agreements from information assets and technology.
employees, contractors, and
Examples of user risk:
service providers covering
confidentiality, nondisclosure, and 1. Authorized users with elevated or administrator privileges can pose a
authorized use. potential threat to systems and data.
f. Provides training to support 2. Employees, contractors, or third-party service providers can exploit their
awareness and policy compliance. legitimate computer access for unauthorized purposes.
3. The degree of internal access granted to some users increases the risk of
damage or loss of information and systems.
User security controls should:
1. Grant user access to systems, applications, and databases based on job
responsibilities.
2. Require users to understand and confirm their understanding of their roles
and responsibilities in maintaining a sound security environment, including
physical and logical areas.
3. Grant access rights according to the institution’s physical and logical access
control policies.
Risk exposures from internal users include:
1. Alteration of data.
2. Deletion of production and backup data.
3. Misdirected data.
4. Disruption of systems.
5. Destruction of systems.
6. Misuse of systems for personal gain or to damage the institution.
7. Appropriation of strategic or customer data for espionage or fraud schemes.
8. Extortion for stolen data.
9. Misuse of data following the termination or change in job responsibility of an
employee.
II.C.7(b) User Access Program (p. 16). A User Access Program should include:
1. Principle of least privilege, which recommends minimum user profile
privileges for both physical and logical access based on job necessity.
2. Alignment of employee job descriptions to the user access program.
3. Requirements for business and application owners to define user profiles.
4. Ongoing reviews by business line and application owners to verify access
based on job roles with timely reporting of changes to security personnel.
5. Timely notification from human resources to security administrators to
adjust user access based on job changes, including terminations.
6. Periodic independent reviews that ensure effective administration of user

access, both physical and logical.
See “Physical Security” and “Logical Security” sections of this booklet.
II.C.7(c) Segregation of Duties (p. 16). Management should:
1. Evaluate the process for determining which individuals should be granted
system administrator privileges, or other super user account for system
administration including root, administrator, admin, or supervisor.
2. Access should be appropriately monitored for unauthorized or inappropriate
activity.
3. Incorporate independent reviews or approvals for individuals who perform
multiple functions to minimize the potential for fraud, irregularities, and
errors.
4. Require an independent review (e.g., audit) of an activity if conducted
without appropriate segregation of duties.
5. Examples:
a. Independent monitoring of the activities performed by the users with
increased privileges (e.g., system administrators and super users).
b. Distribution of system administration activities so no administrator can
hide his or her activities or control an entire system.
c. Additional levels of approval as the criticality and sensitivity of decisions
increase.
II.C.7(d) Confidentiality Agreements (p. 17). Management should obtain signed
confidentiality agreements before granting employees and contractors system
access.
II.C.7(e) Training (p. 17). Management should:
1. Educate users about their security roles and responsibilities and
communicate to them through acceptable use policies.
2. Hold all employees, officers, and contractors accountable for complying with
security and acceptable use policies
3. Ensure that the institution’s information and other assets are protected.
4. Have the ability to impose sanctions for noncompliance.
5. Understand that management’s behavior and priorities heavily influence
employee awareness and policy compliance.
6. Content:
a. Training materials for most users focus on issues such as end-point
security, log-in requirements, and password administration guidelines.
b. Training programs should include scenarios capturing areas of significant
and growing concern, such as phishing and social engineering attempts,
loss of data through e-mail or removable media, or unintentional posting
of confidential or proprietary information on social media.
c. Training should change to reflect the risk environment.
d. Employee training should be annual.
e. The institution should collect signed acknowledgments of the employee
acceptable use policy as part of the training program.
See also Interagency Guidelines Establishing Information Security Standards, section
III.C.2 [summary (requiring each financial institution to train staff to implement its
information security program)].
9. Determine whether management II.C.8 Physical Security (p. 18). Management should implement:
applies appropriate physical security 1. Appropriate preventive, detective, and corrective controls for mitigating the
controls to protect its premises and risks inherent to those physical security zones.
more sensitive areas, such as its data
2. Specific and formal authorization process for the removal of hardware and
center(s).
software from the premises.
Data Center Security.
1. Site Selection. A primary objective of site selection should be limiting risk
of exposure from internal and external threats, including, where possible,
environmental threats of physical locations (e.g., hurricanes, earthquakes,
and blizzards).
2. Physical Security — environment.
a. The selection process should include reviewing the surrounding area
to determine whether it is relatively safe from exposure to fire, flood,
explosion, or similar environmental hazards.
b. A combination of fire suppression, smoke alarms, raised flooring, and heat
and moisture sensors should address risks from environmental threats
(e.g., fire, flood, and excessive heat).
c. Environmental threat monitoring should be continuous, and responses
should occur when alarms activate.
3. Physical Security — deterrence and surveillance.
a. Guards, fences, barriers, surveillance equipment, or other devices can
deter intruders.
b. Appropriate physical controls should be in place in order to restrict access
to key information system hardware and software.
c. The location should not be identified or advertised by signage or other
indicators.
d. Detection devices.
i. Should be used to prevent theft, safeguard the equipment, and provide
continuous coverage. Detection devices have two purposes:
a. Send alarms when responses are necessary; and
b. Support subsequent forensics.
ii. Are useful only when response will occur when the alarm is activated.
iii. Some detection devices include the following:
a. Switches that activate alarms when electrical circuits are broken;
b. Light and laser beams, ultraviolet beams, sound or vibration
detectors that are invisible to intruders; and
c. Ultrasonic or radar devices that detect movement.
e. Closed-circuit television (CCTV) that provides visual observation and
records intrusions.
f. Preventive maintenance and testing.
i. Maintenance logs should demonstrate that physical security devices
are maintained regularly.
ii. Periodic testing provides assurance that the devices are operating
correctly.
Security Guard Policy.
1. The institution should have policies governing the duties and responsibilities
of security guards.
2. Security guards should be trained to restrict the removal of technology assets
from the premises and to record the identity of anyone attempting to remove
those assets.
Physical Access.
1. Employees who access secured areas should have proper identification and
authorization to enter the areas.
2. All non-employees should provide identification to a security guard before
obtaining access to secured areas.
3. Physical access to the following equipment or areas should be restricted:
a. Operations centers (e.g., data center operations, security operations
center, and network operations center) or server rooms; uninterruptible
power supplies and backup generators.
b. Funds transfer and automated clearinghouse routers.
c. Telecommunications equipment.
d. Media libraries.
e. Equipment removed from the network and awaiting disposal.
f. Spare or backup devices.
10. Determine whether management II.C.9 Network Controls (p. 19)

secures access to its computer 1. Networks should be protected by a secure boundary, within which “trusted”
networks through multiple layers and “untrusted” zones are identified.
of access controls. Review whether
2. Internal zones, typically a trusted zone, should segregate various
components into distinct areas, each with the level of controls appropriate to
a. Establishes zones (e.g., trusted the content and function of the assets within the zone.
and untrusted) according to
risk with appropriate access Trusted Network:
requirements within and between 1. Segregation into internal layers/environments, including:
each zone. a. Production;
b. Maintains accurate network b. Staging; and
diagrams and data flow charts. c. Development.
c. Implements appropriate controls 2. Segregate sensitive traffic, by using Voice Over Internet Protocol (VOIP)
over wired and wireless networks. and network management, such as virtualization infrastructure that carries
server boot images between storage devices and hosts.
3. Develop zone security policies.
a. Zone restrictions are defined by risk, sensitivity of data, user roles, and
appropriate access to application systems.
b. Access to zones should be controlled according to the principle of least
privilege and segregation of duties.
4. Network and Data Flow Diagrams. To ensure appropriate network security,
management should maintain accurate network and data flow diagrams:
a. Identifying hardware, software, and network components, internal and
external connections, and types of information passed between systems to
facilitate the development of a defense-in-depth security architecture.
b. Securely stored with access restricted to essential personnel.
5. Protection: The institution’s trusted network should be protected through:
a. Appropriate configuration and patch management,
b. Privileged access controls, segregation of duties,
c. Implementation of effective security policies; and
d. Use of perimeter devices and systems to prevent and detect unauthorized
access.
e. Perimeter protection may include:

i. Routers;
ii. Firewalls;
iii. Intrusion detection systems (IDS) and intrusion prevention systems;
iv. Proxies;
v. Gateways;
vi. Jump boxes or jump server provides access to or control of other
network servers or devices that may require additional security
measures;
vii. Demilitarized zones;
viii. Virtual private networks (VPN);
ix. Virtual LANs (VLAN);
x. Log monitoring and network traffic inspecting systems;
xi. Data loss prevention (DLP) systems; and
xii. Access control lists.
II.C.9(a) Wireless Network Considerations (p. 20). Management should:
1. Consider limiting the WLAN signal to authorized areas, within the
boundaries of the institution, if feasible.
2. Use an industry-accepted level of encryption with strength commensurate
with the institution’s risk profile on the institution’s wireless networks.
Wireless access points should be:
1. Physically secure to prevent compromise;
2. Securely configured to provide the same level of control as a wired
connection;
3. On a network that is scanned regularly to detect rogue access points and
unauthorized wireless access points;
4. Connected to a network access control (NAC) system to prevent the
successful connection of unauthorized devices, or use by malicious insiders,
and attackers, if appropriate.
• Wireless gateways can allow management to implement more complex
access controls, including advanced identity management capabilities and
services to detect and remediate malicious software.
• Wireless Policies should prohibit installation of wireless access points and
gateways without approval and formal inclusion in the hardware inventory.
• Network monitoring systems should be configured to detect the addition of
new devices.
• Guest Wireless Networks. The bank may provide guests with access to a
wired or wireless network, but the network should be configured to prevent
access to the production network.
Remote Network connectivity. The institution should:
1. Ensure that the remote connection is encrypted and secured.
2. Use VPN connections, or broadband networks and wireless air card
connections, to isolate and encrypt remote traffic to institution networks.
3. Consider implementing compensating controls, such as restricting access to
network resources because IP geolocation information may not always be
available when using broadband networks, that can limit the effectiveness of
monitoring.
11. Determine whether management II.C.10 Change Management Within the IT Environment (p. 21). The process for
has a process to introduce changes to introducing software should encompass securely developing, implementing, and
the environment (e.g., configuration testing changes to software, internally developed and acquired.
management of IT systems and
applications, hardening of systems Application and system control considerations for introducing changes to the IT
and applications, use of standard environment before implementation should include:
builds, and patch management) in 1. Developing procedures to guide the process of introducing changes to the
a controlled manner. Determine environment.
whether management does the 2. Clearly defining requirements for changes.
following: 3. Restricting changes to authorized users.
a. Maintains procedures to guide the 4. Reviewing the impact that changes have on security controls.
process of introducing changes to 5. Identifying all system components affected by the changes.
the environment. 6. Developing test scripts and implementation plans.
b. Defines change requirements. 7. Performing necessary tests of all changes to the environment (e.g., systems
c. Restricts changes to authorized testing, integration testing, functional testing, user acceptance testing, and
users. security testing).
d. Reviews the potential impact 8. Defining rollback procedures in the event of unintended or negative
changes have on security controls. consequences with the newly introduced changes.
e. Identifies all system components 9. Ensuring the application or system owner has authorized changes in advance.
affected by the changes. 10. Maintaining strict version control of all software updates.
f. Develops test scripts and 11. Validating that new hardware complies with institution policies.
implementation plans. 12. Ensuring network devices are properly configured and function appropriately
g. Performs necessary tests of all within the environment.
changes to the environment 13. Maintaining an audit trail of all changes.
(e.g., systems testing, integration See IT Handbook’s “Development and Acquisition” booklet.
testing, functional testing, user
acceptance testing, and security
testing).
h. Defines rollback procedures in the
event of unintended or negative
consequences with the introduced
changes.
i. Verifies the application or system
owner has authorized changes in
advance.
j. Maintains strict version control of
all software updates.
k. Validates that new hardware
complies with institution policies
and guidelines.
l. Verifies network devices
are properly configured and
function appropriately within the
environment
m. Maintains an audit trail of all
changes.
12. Determine whether appropriate II.C.10(a) Configuration Management (p. 22). Management should:
processes exist for configuration 1. Have policies and procedures to ensure compliance with minimally
management (managing and acceptable system configuration requirements;
controlling configurations of systems,
2. Update baselines;
applications, and other technology).
3. Confirm security settings;
4. Track, verify, and report configuration items.
5. Monitor configurations for unauthorized changes, and identify
misconfigurations.
6. Automated Solutions. Management can use automated solutions to help
track, manage, and identify necessary corrections.
13. Determine whether management has II.C.10(b) Hardening (p. 22). Management should:
processes to harden applications and 1. Consult operating system and software vendor-recommended security
systems (e.g., installing minimum controls,
services, installing necessary patches,
2. Hardening.
configuring appropriate security
settings, enforcing principle of least a. Harden the resulting applications and systems when deploying COTS
privilege, changing default passwords, applications and systems.
and enabling logging). b. Includes:
i. Determining the purpose of the applications and systems and
documenting minimum software and hardware requirements and
services to be included.
ii. Installing the minimum hardware, software, and services necessary
to meet the requirements using a documented installation procedure,
necessary patches, and the most secure and up-to-date versions of
applications.
iii. Configuring privilege and access controls by first denying all, then
granting back the minimum necessary to each user (i.e., enforcing
the principle of least privilege); and security settings as appropriate,
enabling allowed activity, and prohibiting nonapproved activities.
iv. Enabling logging.
v. Creating cryptographic hashes of key files.
vi. Archiving the configuration and checksums in secure storage before
system deployment.
vii. Using secure replication procedures for additional, identically
configured systems and making configuration changes on a case-by-
case basis.
viii. Changing all default passwords.
ix. Testing the system to ensure a secure configuration.
x. Auditing the systems periodically to ensure that the hardware,
software, and services are authorized and properly configured.
14. Determine whether management II.C.10(c) Standard Builds (p. 23). The bank:
uses standard builds, allowing one 1. Should use standard builds, that allow one documented configuration to be
documented configuration to be applied to multiple computers in a controlled manner.
applied to multiple computers in a
2. Depending on size and complexity, the bank may have many standard builds
controlled manner, to create hardware
and software inventories, update for different system configurations to address various business functions.
or patch systems, restore systems, 3. Simplifies:
investigate anomalies, and audit a. Creating hardware and software inventories.
configurations. b. Updating and patching systems.
c. Restoring systems in the event of a disaster or outage.
d. Investigating anomalous activity.
e. Auditing configurations for conformance with the approved configuration.
Non-Standard Builds. The institution may not be able to meet all requirements
from standard builds. The use of nonstandard builds should be documented and
approved by management, with appropriate changes made to patch management
and disaster recovery plans.
15. Determine whether management II.C.10(d) Patch Management (p. 24). Management should:
has a process to update and patch 1. Implement automated patch management systems and software to ensure all
operating systems, network devices, network components are appropriately updated, including virtual machines,
and software applications, including
routers, switches, mobile devices, firewalls, etc.
internally developed software 2. Use vulnerability scanners periodically to identify vulnerabilities in a timely
provided to customers, for newly manner.
discovered vulnerabilities. Review
3. Establish and implement a monitoring process that:
whether patch management processes
include the following: a. Identifies the availability of software patches.
b. Valuates the patches against the threat and network environment.
a. An effective monitoring process
that identifies the availability of c. Prioritizes which patches to apply across classes of computers and
software patches. applications.
b. A process to evaluate the patches d. Manages obtaining, testing, and securely installing patches, including in
the institution’s virtual environments.
against the threat and network
environment. e. Includes an exception process, with appropriate documentation, for
c. A prioritization process to patches that management decides to delay or not apply.
determine which patches to apply f. Ensures that all patches installed in the production environment are also
across classes of computers and installed in the disaster recovery environment in a timely manner.
applications. g. Documents the process to ensure the institution’s information assets
d. A process for obtaining, testing, and technology inventory and disaster recovery plans are updated as
and securely installing the appropriate when patches are applied.
patches. h. Have process to update software with appropriate patches where it is
e. An exception process, with developed or maintained in-house.
appropriate documentation, for 4. Before applying a patch, management should:
patches that an institution decides a. Back up the production system.
to delay or not apply. b. Define appropriate patch windows and restrict implementation to defined
f. A process to ensure that time frames to minimize business impact or potential down time.
all patches installed in the 5. Have procedures that include how to implement patches to mitigate risks of
production environment are also changing systems and address systems with unique configurations.
installed in the disaster recovery 6. To ensure patches do not compromise system security:
environment. a. Obtain the patch from a known, trusted source.
g. A documentation process b. Verify the integrity of the patch through comparisons of cryptographic
to ensure the institution’s hashes to ensure the patch obtained is correct and unaltered.
information assets and technology
c. Protect and monitor the systems used to distribute patches to ensure only
inventory and disaster recovery
authorized patches are distributed.
plans are updated as appropriate
when patches are applied. d. Apply the patch to an isolated test system before installing on the
h. Actions to ensure that patches do production system to ensure the patch:
not compromise the security of i. Is compatible with other software used on systems;
the institution’s systems. ii. Does not alter the system’s security posture in unexpected ways (such
as altering log settings); and
iii. Corrects the pertinent vulnerability.
iv. Test the resulting system to validate the effectiveness of the applied
patch.
16. Determine whether management II.C.11 End-of-Life Management (p. 25). Management should:
plans for the life cycles of the 1. Plan for a system’s life cycle, eventual end of life, and any corresponding
institution’s systems, eventual end security and business impacts.
of life, and any corresponding
2. Have policies to manage both the hardware and software life cycles.
business impacts. Review whether the
institution’s life cycle management 3. If an, End-of-life system or application remains in use:
includes the following: a. Ensure appropriate mitigating controls are in place, which may include
segregating the system or application from the network.
a. Maintaining inventories of
b. Have a plan to replace the system or application and implement
systems and applications.
compensating controls until replacement.
b. Adhering to an approved end-
c. Security risks particular to End-of-Life systems and applications:
of-life or sunset policy for older
Increased potential for vulnerabilities because the third party no longer
systems.
provides patches or support, incompatibility with other systems in bank
c. Tracking changes made to
environment, and limitations in security features in older or obsolete
the systems and applications,
systems.
availability of updates, and the
planned end of support by the End-of-Life Management Strategy should:
vendor. 1. Incorporate planned changes to systems.
d. Planning for the update or 2. Evaluate the current environment to identify potential vulnerabilities,
replacement of systems nearing upgrade opportunities, or new defense layers.
obsolescence. 3. Consider the support provided by third-party system vendors; and
e. Outlining procedures for the 4. Consider the risks related to operating unsupported legacy systems.
secure destruction or wiping of Effective end-of-life management should include:
hard drives being returned to
1. Maintaining inventories of systems and applications.
vendors or donated to prevent the
2. Adhering to an approved end-of-life or sunset policy for older systems.
inadvertent disclosure of sensitive
3. Tracking changes made to the systems and applications, availability of
information.
updates, and the planned end of support by the vendor.
4. Conducting risk assessments on systems and applications to help determine
end-of-life.
5. Planning for the replacement of systems nearing obsolescence and complying
with policy requirements for implementing new systems or applications.
6. Developing specific procedures for the secure destruction or data wiping
of hard drives returned to vendors or donated, to prevent the inadvertent
disclosure of sensitive information.
7. Developing a strategy for replacing and updating hardware and software
that incorporates and aligns with overall information security and business
strategies.
17. Determine whether management II.C.12 Malware Mitigation (p. 25). Methods or systems that management should
has implemented defense-in-depth consider to protect, detect, and respond:
to protect, detect, and respond to 1. Hardware-based roots of trust that use cryptographic means to verify the
malware. integrity of software.
2. Servers that run active content at the gateway and disallow content based on
policy.
3. Blacklists that disallow code execution based on code fragments, Internet
locations, and other factors that correlate with malicious code.
4. White lists of allowed programs.
5. Port monitoring to identify unauthorized network connections.
6. Network segregation.
7. Computer configuration to permit the least amount of privileges necessary to
perform the user’s job.
8. Application sandboxing (restricted, controlled execution environment that
prevents potentially malicious software, such as mobile code, from accessing
any system resources except those for which the software is authorized) to
limit the access and functionality of executed code.
9. Monitoring for unauthorized software and disallowing the ability to install
unauthorized software.
10. Monitoring for anomalous activity for malware and polymorphic code.
11. Monitoring of network traffic.
12. User education in awareness, safe computing practices, indicators of
malicious code, and response actions.
18. Determine whether management II.C.13 Control of Information (p. 26). II.C.13(a) Storage (p. 27). Management
maintains policies and effectively should:
controls and protects access to and 1. Implement policies to govern the secure storage of all types of sensitive
transmission of information to avoid information, whether on computer systems, on physical media, or in hard-
loss or damage. Review whether
copy documents.
2. Have appropriate logging and monitoring controls over stored information to
a. Requires secure storage of all ensure authorized access and appropriate use.
types of sensitive information, 3. Periodically have the security staff, audit staff, and data owners review access
whether on computer systems, rights to ensure the access rights remain appropriate and current.
portable devices, physical media, 4. Implement appropriate controls (such as the use of a DLP program) over
or hard-copy documents. portable devices and the sensitive information contained on them.
b. Establishes controls to limit access 5. Consider achieving secured storage with:
to data. a. Physical controls, (See “Physical Security” section of this booklet.
c. Requires appropriate controls b. Logical controls (e.g., passwords, tokens, and biometrics), and
over data stored in a cloud c. Environmental controls (e.g., fire and flood protection).
environment. 6. Third-Party Cloud Storage. Management should:
d. Implements appropriate controls a. Understand:
over the electronic transmission i. Nature of the cloud technology being used;
of information or, if appropriate ii. Physical location(s) where the data are stored and related legal
safeguards are unavailable, jurisdiction;
restricts the type of information iii. Access controls used and protection of the institution’s data (e.g., how
that can be transmitted. access is controlled and how that information is retrieved);
e. Has appropriate disposal iv. Frequency and method of backup used by the cloud provider.
procedures for both paper-based b. Verify that the cloud provider offers the capability for the institution to
and electronic information. monitor:
f. Maintains the security of physical i. System activity,
media, including backup tapes, ii. Significant security incidents,
containing sensitive information iii. Performance and uptime, and
while in transit, including to off- iv. Success and failure of backups.
site storage, or when shared with
third parties. Information Storage:
g. Has policies restricting the use 1. Stored information:
of unsanctioned or unapproved a. Should be classified and inventoried so that it can be retrieved when
IT resources (e.g., online needed.
storage services, unapproved b. Inventories should be updated periodically to remain current.
mobile device applications, and 2. Sensitive information, such as system documentation, application source
unapproved devices). code, and production transaction data, should have more extensive controls
to guard against alteration (e.g., integrity checkers and cryptographic hashes).
3. Risk mitigation on data storage on portable devices:
a. Data encryption, host-provided access controls,
b. Homing beacons connect to a network and enable recovery of the device,
and
c. Remote deletion capabilities.
II.C.13(b) Electronic Transmission of Information (p. 27) Management should:
1. Determine the type of transmission method,
2. Sensitivity of the information to be transmitted,
3. Types of safeguards available to protect information
4. Implement appropriate controls or, if they are not available, restrict the type
of information that can be transmitted.
5. When transmitting sensitive information over a public network, information
should be encrypted to protect it from interception or eavesdropping, (ex.,
secure email protocols, sFTP, and secure sockets layer (SSL) certificates).
II.C.13(c) Disposal of Information (p. 28). Management should:

1. Designate a single individual, department, or function to be responsible for
disposal facilitates accountability and promotes compliance with disposal
policies.
2. Determine the most effective method of disposal based on the type of
information.
3. Log the disposal of sensitive media. Logs should record the party responsible
for disposal, as well as the date, media type, hardware serial number, and
method of disposal.
4. Develop disposal policies and procedures addressing making data non-
recoverable and reflecting the sensitivity of the information.
5. Have policies, procedures, and training informing employees about what
actions should be taken to securely dispose of computer-based media, and
protect the data from the risks of reconstruction
6. Rented devices. Address by contract, the media sanitation of rented devices
so that sensitive information is disposed of properly before returning
equipment at the end of the rental period.
7. Disposal of paper.
a. Have policies prohibiting employees from discarding paper-based
information containing sensitive information through the same disposal
system as regular garbage to avoid accidental disclosure.
b. May shred paper-based media on-site while others use collection and
disposal services to ensure the media are rendered unreadable and
unlikely to be reconstructed.
8. Third parties. Institutions that contract with third-party service providers
should:
a. Conduct due diligence to ensure those third parties conduct adequate
employee background checks and employ appropriate controls.
b. Have contracts with third-party disposal firms addressing acceptable
disposal procedures.
9. Residual data.
a. Additional disposal techniques should be applied to devices containing
sensitive data because residual data can be recovered and information
contained in or on the memory of other devices may remain, even after
deletion.
b. Examples: printers, fax machines, and cellphones
10. Examples of Disposal Methods:
a. Overwriting destroys data by replacing it with new, random data.
Overwriting may be preferable when the media will be reused. To be
effective, overwriting may have to be performed many times.
b. Degaussing, which scrambles the data recorded on the media with
powerful, varying magnetic fields.
c. Physical destruction of the media can make the data unrecoverable. Data
can sometimes be destroyed after overwriting.
II.C.13(d) Transit of Physical Media (p. 29). Management should:

1. Implement policies for maintaining the security of physical media (including
backup tapes) containing sensitive information while in transit, including to
off-site storage, or when shared with third parties.
2. Policies should include the following:
a. Contractual requirements that incorporate necessary risk-based controls.
b. Restrictions on the carriers used.
c. Procedures to verify the identity of couriers.
d. Requirements for appropriate packaging to protect the media from
damage.
e. Use of adequate encryption of sensitive information recorded on media
that is being physically transported.
f. Tracking of shipments to provide early indications of loss or damage.
g. Security reviews or independent security reports of receiving companies.
h. Use of nondisclosure agreements for couriers and third parties.
II.C.13(e) Rogue or Shadow IT (p.29). Management should:
1. Have policies explaining that employees should not, and are not, authorized
to use unsanctioned or unapproved IT resources (e.g., online storage services,
unapproved mobile device applications, and unapproved devices).
2. Implement security awareness or information security training that includes
procedures for identifying and reporting shadow IT.
19. Determine whether management II.C.14 Supply Chain (p. 29). Management should:
identifies factors that may increase 1. Identify factors that may increase risk from supply chain attacks
risk from supply chain attacks 2. Respond with appropriate risk mitigations.
and responds with appropriate
3. An effective information security program seeks to limit the potential for
risk mitigation. Review whether
management implements the harm through techniques tailored to specific acquisitions and services.
following as appropriate: 4. Examples of mitigating supply chain risk:
a. Only making purchases through reputable sellers who demonstrate an
a. Purchases are made only through
ability to control their own supply chains.
reputable sellers.
b. Purchasing hardware and software through third parties to shield the
b. Purchases are made through
institution’s identity.
a third party to shield the
c. Reviewing hardware for anomalies.
institution’s identity.
d. Using automated software testing and code reviews for software.
c. Hardware is reviewed for
e. Regularly reviewing the reliability of software and hardware items
anomalies.
purchased through activity monitoring and evaluations by user groups.
d. Software is reviewed through both
automated software testing and
code reviews.
e. Reliability of the items purchased
is regularly reviewed post-
implementation.
20. Determine whether management has II.C.15 Logical Security (p. 30). Management should:
an effective process to administer 1. Identify and restrict logical access to all system resources to the minimum
logical security access rights for required for legitimate and approved work activities, according to the
the network, operating systems,
principle of least privilege.
applications, databases, and network
devices. Review whether management 2. Have logical security policy and procedures addressing access rights and how
has the following: those rights are administered.
3. Regularly evaluate information system access, in collaboration with system
a. An enrollment process to add new
administrators
users to the system.
4. Enrollment Process:
b. An authorization process to add,
a. Identify and evaluate all users for access enrollment, including
delete, or modify authorized
new employees, IT outsourcing relationships, and contractors with
user access to operating systems,
documented approvals performed by the employee’s manager, or the
applications, directories, files, and
application or data owners responsible for each accessed resource, or as
specific types of information.
established by the employee’s role or group membership, which may confer
c. A monitoring process to oversee
certain user access rights, as appropriate for the bank’s system.
and manage the access rights
b. have an authorization process to enable the employee’s manager and the
granted to each user on the
application or data owners to modify or delete existing user access rights
system.
to information and systems with confirming controls.
d. A process to control privileged
5. Perform regular reviews of access rights on a schedule commensurate
access.
with risk to validate user access to test whether access rights continue to be
e. A process to change or disable
appropriate or should be modified, or deleted.
default user accounts and
6. Modification. Promptly review, and modify as needed, access rights for all
passwords.
users who experience job changes, particularly those with privileged access,
remote access privileges, and access to customer information.
a. occur when an individual’s business or job needs change that require
expansion, reduction, or deletion of access rights.
b. Examples: transfers, mandatory leave, resignations, and terminations.
7. Have an acceptable use policy.
a. Operates as key control to constrain user access by detailing permitted
system uses, user activities, and the consequences of noncompliance that
employees should acknowledge and agree in writing.
b. Elements of an acceptable use policy can include the following:
i. Specific access devices that can be used to access the network.
ii. Hardware and software changes the user can make to his or her access
device.
iii. Purpose and scope of network activity.
iv. Permitted network services.
v. Information that can or cannot be transmitted, and authorized
transmission methods.
vi. Bans on attempts to break into accounts, crack passwords, or disrupt
service.
vii. Responsibilities for secure operation.
viii. Consequences of noncompliance.
Access Rights:
1. Logical user access rights administration consists of:
a. Enrolling new users to the system.
b. Authorizing modifications to user access and deletions.
c. Monitoring access rights granted to each user, including periodic review
and validation of access rights.
2. Privileged Access
a. Authorization for privileged access should be tightly controlled.
b. All individuals who are granted privileged access should have the
appropriate training commensurate with the risk and complexity of the
systems and information they access.
c. Prudent practices for controlling privileged access include the following:
i. Identifying each privilege associated with each system resource.
ii. Implementing a process to allocate privileges on a need-to-use or an
event-by-event basis.
iii. Documenting the granting and extent of privileged access.
iv. Assigning privileges to a unique user ID apart from the one used for
normal business use.
v. Prohibiting shared privileged user accounts.
vi. Logging and independent monitoring of the use of privileged access.
vii. Reviewing, by an independent party, privileged access rights and
allocations at appropriate intervals.
3. Default access rights to new software and hardware
a. Default passwords should be changed, and the accounts should be
disabled.
b. If these accounts are not disabled, access should be monitored closely.
21. As part of management’s process II.C.15(a) Operating System Access (p. 32). Management should:
to secure the operating system and 1. Implement effective user access to appropriately restrict system access
all system components, determine for both users and applications and, depending on the sensitivity, extend
whether management does the
protection at the program, file, record, or field level.
following:
2. Limit the number of employees with access to operating systems and grant
a. Limits the number of employees only the minimum level of access required to perform job responsibilities.
with access to operating system 3. Restrict and log access to and activity on operating system parameters,
and system utilities and grants system utilities (especially those with data-altering capabilities), and sensitive
only the minimum level of system resources (including files, programs, and processes), and supplement
access required to perform job with additional security software, as necessary.
responsibilities. 4. Restrict operating system access to specific terminals in physically secure and
b. Restricts and logs access to and monitored locations.
activity on operating system 5. Secure or remove external drives and portable media from system consoles,
parameters, system utilities terminals, or personal computers (PC) running terminal emulations, residing
(especially those with data- outside of physically secure locations.
altering capabilities), and sensitive 6. Prohibit remote access to operating system and system utilities, where
system resources (including files, feasible, and, at a minimum, require strong authentication and encrypted
programs, and processes), and sessions before allowing such remote access.
supplements with additional 7. Filter and review logs for potential security events and provide adequate
security software, as necessary. reports and alerts.
c. Restricts operating system access 8. Independently monitor operating system access by user, terminal, date, and
to specific terminals in physically time of access.
secure and monitored locations.
d. Secures or removes external
drives and portable media from
system consoles, terminals, or
PCs running terminal emulations,
residing outside of physically
secure locations.
e. Prohibits remote access to
operating system and system
utilities, where feasible, and,
at a minimum, requires strong
authentication and encrypted
sessions before allowing such
remote access.
f. Filters and reviews logs for
potential security events and
provides adequate reports and
alerts.
g. Independently monitors operating
system access by user, terminal,
date, and time of access.
22. Determine whether management II.C.15(b) Application Access (p. 32). Management should:
controls access to applications. 1. Implement robust authentication methods consistent with the criticality and
Review whether management does sensitivity of the application.
the following:
2. Ease the administrative burden of managing application access rights by
a. Implements a robust using group profiles to avoid inconsistent or inappropriate access occuring
authentication method consistent when rights are managed individually.
with the criticality and sensitivity 3. Periodically review and approve the application access assigned to users for
of the application. appropriateness.
b. Manages application access rights 4. Communicate and enforce the responsibilities of programmers,
by using group profiles. administrators, and application owners for maintaining effective application
c. Periodically reviews and approves access control.
the application access assigned to 5. Set time-of-day or terminal limitations for some applications or for more
users for appropriateness. sensitive functions within an application.
d. Communicates and enforces the 6. Log access and events, defining alerts for significant events, and developing
responsibilities of programmers, processes to monitor and respond to anomalies and alerts.
security administrators, and
Controls:
application owners in maintaining
effective application access 1. Sensitive or mission-critical applications should incorporate appropriate
control. access controls that restrict which functions are available to users and other
e. Sets time-of-day or terminal applications.
limitations for some applications 2. Use security software programs to integrate access control between the
or for more sensitive functions operating system and some applications if applications do not have their own
within an application. access controls or when the institution uses security software instead of the
f. Logs access and events, defines application’s native access controls.
alerts for significant events, and 3. Understand the functionality and vulnerabilities of the application access
develops processes to monitor and control solutions and consider those issues in the risk management process.
respond to anomalies and alerts.
23. Determine whether management has II.C.15(c) Remote Access (p. 33). Management should:
policies and procedures to ensure that 1. Policy. Have a remote access policy:
remote access by employees, whether a. Ensure that remote access by employees, whether using institution or
using institution or personally owned
personally owned devices, is provided in a safe and sound manner.
devices, is provided in a safe and
sound manner. Review whether b. Define how the institution provides remote access and the controls
management does the following: necessary to offer remote access securely.
2. Conduct a risk assessment and implement appropriate controls before
a. Provides remote access in a safe
adopting any remote access solution.
and sound manner.
3. Disable remote communications if no business need exists.
b. Implements the controls necessary
4. Tightly control remote access through management approvals and
to offer remote access securely
subsequent audits.
(e.g., disables unnecessary remote
5. Implement robust controls over configurations at both ends of the remote
access, obtains approvals for and
connection to prevent potential malicious use.
performs audits of remote access,
6. Log and monitor all remote access communications.
maintains robust configurations,
7. Secure remote access devices.
enables logging and monitoring,
8. Restrict remote access during specific times.
secures devices, restricts remote
9. Limit the applications available for remote access.
access during specific times,
10. Use robust authentication methods for access and encryption to secure
controls applications, enables
communications.
strong authentication, and uses
11. If using institution owned devices:
encryption).
a. Prevent users from installing software on the devices.
b. Prohibit users from having administrative privileges on the devices.
c. Use firewalls, host-based IDS, and packet content filtering to identify,
monitor, and limit remote access activities.
d. Limit the storage of sensitive information to institution owned devices.
12. Examples of Remote Access:
a. VPN and virtual desktop,
b. Remote control software and third party services,
c. File transfer software (FTP),
d. Conferencing/session sharing tools.
24. Determine whether management II.C.15(d) Use of Remote Devices (p. 34). Management may choose to allow
effectively controls employees’ use employees to connect remotely to the institution’s network using institution-owned
of remote devices. Review whether devices, and personally owned devices.
For all remote devices (p. 34), management should control employee remote
a. Implements controls over access to the institution’s network by:
institution owned and personally
1. Disallowing remote access unless a compelling business justification exists.
owned devices used by employees
2. Requiring management approval of employee remote access.
to access the network (e.g.,
3. Regularly reviewing remote access approvals and rescind those that no longer
disallows remote access without
have a compelling business justification.
business justification, requires
4. Restricting remote access to authorized network areas and applications by
management approval, reviews
using VLANs, permissions, and other techniques.
remote access approvals, restricts
5. Logging remote access communications (including date, time, user, user
access to authorized network
location, duration, and activity), analyze logs in a timely manner, and follow
areas, logs remote access,
up on anomalies.
implements robust authentication,
6. Implementing robust authentication methods for remote access.
uses encryption, and uses
7. Using encryption to protect communications between the access device and
application white-listing).
the institution.
b. Implements controls over
8. Using application white-listing.
remote devices provided by
the institution (e.g., securely Controls on institution-owned devices (p. 35).
configures remote access 1. Securely configure remote access devices.
devices, protects devices against 2. Protect remote access devices against malware.
malware, patches and updates 3. Patch, update, and maintain all software on remote access devices.
software, encrypts sensitive data, 4. Encrypt sensitive data residing on the access device.
implements secure containers, 5. Implement secure containers with internal boundaries to store sensitive
audits device access, uses remote information, in a way that is not accessible to the device without permission.
disable and wipe capabilities, and 6. Periodically audit the access device configurations and patch levels.
uses geolocation). 7. Remotely disable or wipe the device in the event of theft or loss.
c. Uses an effective method to 8. Use geolocation of the device to support device recovery efforts.
ensure personally owned devices
Controls on personally owned devices (p. 35). Management should have effective
meet defined institution security methods or solutions to ensure these devices meet the bank’s security standards,
standards (e.g., such as operating such as operating system version, patch levels, and anti-malware solutions, before
system version, patch levels, and the personally-owned device is allowed on the bank’s network.
anti-malware solutions).
25. Determine whether management II.C.16 Customer Remote Access to Financial Services (p. 35). Management
effectively provides secure customer should:
access to financial services and plans 1. Authentication. Implement appropriate authentication techniques
for potential interruptions in service. commensurate with the risk from remote banking activities, including:
Review whether management does
a. Multiple factor authentication,
the following:
b. Device authentication,
a. Develops and maintains policies c. Location consistency, and
and procedures to securely offer d. Additional authentication for sensitive functions.
and ensure the resilience of 2. Controls. Remote access controls should include additional layered security
remote financial services (e.g., controls and may include some combination of:
using appropriate authentication, a. Application time-outs with mandatory re-authentication.
layered security controls, and b. Fraud detection and monitoring systems that include consideration of
fraud detection monitoring). customer history and behavior to alert management, and enable a timely
(For additional questions, refer to and effective institution response.
the “Mobile Financial Services” c. Dual customer authorization through different access devices.
examination procedures.) d. Out-of-band verification for transactions.
b. Plans and coordinates with ISPs e. Positive pay, debit blocks, and other techniques to appropriately limit the
and third parties to minimize transactional use of the account.
exposure to incidents and f. Supplementary controls over certain account activities, such as transaction
continue services when faced value limits, restrictions on devices for adding payment recipients, limits
with an incident (e.g., monitors on the number of transactions allowed per day, and allowable payment
threat alerts, service availability, windows (e.g., days and times).
applications, and network traffic g. Reputation-based tools to block connections to the institution’s servers
for indicators of nefarious activity, based on device or network indicators known or suspected to be
and ensures traffic filtering). associated with fraudulent activities.
c. Develops and tests a response h. Device authentication with appropriate enrollment and de-enrollment
plan in conjunction with the processes.
institution’s ISPs and third-party i. Policies for addressing customer devices identified as potentially
service providers to mitigate the compromised and identifying customers who may be facilitating fraud.
interruption of mobile or remote j. Controls over changes to account maintenance activities (e.g., address
financial services. or password changes) performed by customers either online or through
customer service channels.
k. Supplementary controls for system administrators who are granted
privileges to set up or change system configurations of business accounts.
See FFIEC’s “Supplement to Authentication in an Internet Banking
Environment.”
l. Customer education to increase awareness of the fraud risk and effective
techniques customers can use to mitigate the risk.
Authentication of Email and E-communications. All instructions received
through e-channels should be authenticated and validated in accordance with
institution policies.
Mitigating malicious activity against mobile or online services. Management

should:
1. Develop and maintain policies and procedures to identify, measure, mitigate,
monitor, and report on significant security incidents to ensure the resilience
of remote financial services.
2. Monitor threat alerts.
3. Monitor service availability and diagnose causes of reduced availability.
4. Monitor applications and network traffic for indicators of nefarious activity.
5. Ensure traffic filtering by the institution’s ISP or upstream ISP, third-party
service providers, and internal resources.
6. Design and implement applications to withstand application-level DOS.
7. Utilize distributed architecture.
8. Limit traffic (e.g., allow valid traffic and block known bad traffic by port or IP
address).
9. Add bandwidth
10. Enable access to services through alternative channels.
11. Third party Incident Response Planning. Develop and test an incident
response plan in conjunction with the institution’s ISPs and third-party
service providers to mitigate the interruption of mobile or remote financial
services. See “Incident Response” section of this booklet, pg. 50
Customers.
1. May be provided with a website disclosure with the institution’s customer
acceptable use policy.
2. The bank may require customers to demonstrate knowledge of and
agreement to abide by the terms of the acceptable use policy with
confirmation by hardcopy/paper or electronic. See appendix E of the IT
Handbook’s “Retail Payment Systems” booklet, Mobile Financial Services.
26. Determine whether management II.C.16(a) Customer Awareness and Education (p. 37). Management should:
develops customer awareness and 1. Consider both retail and commercial account holders.
education efforts that address both 2. Explain protections provided, and not provided, to account holders relative
retail (consumer) and commercial
to electronic funds transfers under Regulation E, and a related explanation of
account holders.
the applicability of Regulation E to the types of accounts accessible online.
3. Explain customer contact protocols that while a bank may contact a
customer regarding his or her account or suspicious account activities, the
bank should never ask the customer to provide his or her log-in credentials
over the phone or via e-mail.
4. Provide a list of recommended controls and prudent practices that the
customer should implement when using the institution’s remote financial
services.
5. Suggest that commercial online customers perform a related risk assessment
and controls evaluation periodically.
6. Recommend technical and business controls to commercial customers
that can be implemented to mitigate the risks from fraud schemes such as
Business Email Compromise. See Federal Bureau of Investigation, Business
Email Compromise, Alert I-012215-PSA (Jan 2015).
7. Have a method to contact the institution if customers notice suspicious
account activity.
27. Determine whether management II.C.17 Application Security (p. 38). Management should:
uses applications that were developed 1. Testing.
by following secure development a. Perform appropriate tests (e.g., penetration tests, vulnerability
practices and that meet a prudent
assessments, and application security tests) before launching or making
level of security. Determine whether
management develops security significant changes to external-facing applications.
control requirements for applications, b. Remediate issues noted from tests before launching applications or moving
whether they are developed in-house changes into production.
or externally. Determine whether 2. Controls.
information security personnel a. Implement a prudent set of security controls (e.g., password and audit
are involved in monitoring the policies), audit trails of security and access changes, and user activity logs
application development process to for all applications.
verify secure development practices. b. Establish user and group profiles for applications if not part of a
Review whether applications in use centralized identity access management system.
provide the following capabilities: c. Change and disable default application accounts upon installation.
a. Provide a prudent level of security d. Review and install patches for applications in a timely manner.
(e.g., password and audit policies), e. Implement validation controls for:
audit trails of security and access i. Data entry: such as access controls over entry and changes to data,
changes, and user activity logs. error checks, review of suspicious or unusual data, and dual entry or
b. Have user and group profiles additional review and authorization for highly sensitive transactions
to manage user access for or data.
applications if they are not part ii. Data processing: such as batch control totals, hash totals of data for
of a centralized identity access comparison after processing, identification of any changes made
management system. to data outside the application (e.g., data-altering utilities), and job
c. Provide the ability to change control checks to ensure programs run in correct sequence.
and disable default application f. Integrate additional authentication and encryption controls to ensure
accounts upon installation. integrity and confidentiality of data and non-repudiation of transactions.
d. Allow administrators to g. Protect web or Internet-facing applications through additional controls,
review and install patches for including web application firewalls, regular scanning for new or recurring
applications in a timely manner. vulnerabilities, mitigation or remediation of common security weaknesses,
e. Use validation controls for data and network segregation to limit inappropriate access or connections to
entry and data processing. the application or other areas of the network.
f. Integrate additional h. Establish security control requirements for new systems, system revisions,
authentication and encryption or new system acquisitions.
controls, as necessary. i. Define the security control requirements based on its risk assessment
g. Protect web or Internet-facing process and evaluate the value of the information at risk and the potential
applications through additional impact of unauthorized access or damage within existing software
controls, including web development and acquisition processes.
application firewalls, regular 3. Resources. Leverage available resources, such as software tools, industry
scanning for new or recurring resources, specific certifications, and education courses, to assist in risk
vulnerabilities, mitigation or identification and improve the institution’s application security practices.
remediation of common security
weaknesses, and network
segregation.
28. With respect to developed software, Software Development (p. 39). Management should:
determine whether institution 1. Mitigate risks from potential application flaws allowing remote access
management does the following: by customers and others through network, host, and application layer
a. Reviews mitigation of potential architecture considerations.
flaws in applications. 2. Perform ongoing risk assessments to consider the adequacy of application-
b. Obtains attestation or evidence level controls in light of changing threat, network, and host environments.
from third-party developers that 3. Review available audit reports, and consider and implement appropriate
the applications acquired by the control recommendations.
institution meet the necessary 4. Collect data to build metrics and reporting of configuration management
security requirements and that compliance, vulnerability management, and other measurable items as
noted vulnerabilities or flaws are determined by management.
remediated in a timely manner. 5. Have a process to determine risks posed by the system and necessary security
c. Performs ongoing risk requirements, which may include referring to published, widely recognized
assessments to consider the industry standards as a starting point for establishing the institution’s security
adequacy of application-level requirements.
controls in light of changing 6. Development processes.
threat, network, and host a. Information security personnel should be involved from the outset in
environments. application development to determine whether security controls are
d. Implements minimum controls designed, tested, and implemented and information security needs are
recommended by third-party being met.
service providers and considers b. Monitoring the development environment ensures implemented controls
supplemental controls as are functioning properly.
appropriate. c. Verify security of third-party developed applications to determine whether
e. Reviews available audit the application meets the institution’s security requirements.
reports, and considers and d. Environment. Analyze the environment where the application will reside,
implements appropriate control and reevaluate as the environment changes for security requirements and
recommendations. assurance.
f. Collects data to build metrics 7. Third parties.
and reporting of configuration a. Ensure third-party developers of applications meet the same controls.
management compliance, and b. Obtain attestation or evidence from third-party developers that the
vulnerability management. application acquired by the institution meets the necessary security
requirements and that noted vulnerabilities or flaws are remediated in a
timely manner.
c. Implement minimum controls recommended by the third-party service
provider and consider supplemental controls as appropriate.
29. For database security, determine II.C.18 Database Security (p. 40).
whether management implemented • Databases can be developed in-house or purchased from third parties,
or enabled controls commensurate and can have their own controls and protective mechanisms configured to
with the sensitivity of the data stored
provide varying levels of protection and encryption.
in or accessed by the database(s).
Determine whether management • Management should implement or enable controls commensurate with the
appropriately restricts access and sensitivity of the data stored in, or accessed by, the database.
applies the rule of least privilege in Types of database users:
assigning authorizations. 1. People (e.g., employees, customers, and contractors).
a. Access. Some users may have extensive privileges, ability to change the
database configuration and access controls, while others are restricted in
what can be viewed, manipulated, or stored.
b. Controls. Authorizations can be tailored to that person, greatly limiting
the amount of information that could be exposed in a security incident.
2. Applications.
a. Access granted to the application can be extensive, and accordingly, an
attack on a database through an application could expose a larger and
more damaging collection of data.
b. Controls. Strengthen authentication and monitoring requirements to
minimize the potential for unauthorized use.
30. Determine how and where II.C.19 Encryption (p. 40). Management should:
management uses encryption and if 1. Employ encryption strength sufficient to protect information from
the type and strength are sufficient disclosure.
to protect information appropriately.
2. Review encryption methods periodically to ensure that the types and
Additionally, determine whether
management has effective controls methods of encryption are still secure as technology and threats evolve.
over encryption key management. 3. Review decisions regarding what data to encrypt and at what points to
encrypt the data based on the risk of disclosure and the costs of encryption,
and the bank’s classification and risk assessment.
4. Protect passwords, hashed and salted, or encrypting in storage.
5. Make files containing encrypted or hashed passwords to authenticate users
readable only with elevated (or administrator) privileges.
Cryptographic key management, during generation, exchange, storage, use, and
replacement, relies on an agreed set of standards, procedures, and secure methods
that address the following:
1. Generating keys for different cryptographic systems and different
applications.
2. Generating and obtaining public keys.
3. Distributing keys to intended users, including how keys should be activated
when received.
4. Storing keys, including how authorized users obtain access to keys.
5. Changing or updating keys, including rules on when and how keys should be
changed.
6. Addressing compromised keys.
7. Archiving, revoking, and specifying how keys should be withdrawn or
deactivated.
8. Recovering keys that are lost or corrupted as part of business continuity
management.
9. Logging the auditing of key management-related activities.
10. Instituting defined activation and deactivation dates, and limiting the usage
period of keys.
See ISO/IEC 11770-1:2010, “Key Management—Part 1: Framework”; ISO/
IEC 11770-2:2008, “Key Management—Part 2: Mechanisms Using Symmetric
Techniques”; and ISO/IEC 11770-3:2015, “Key Management—Part 3: Mechanisms
Using Asymmetric Techniques.”
31. Determine whether management II.C.20 Oversight of Third-Party Service Providers (p. 42). Management should
appropriately oversees the have:
effectiveness of information security 1. Appropriate due diligence in third-party research, selection, and relationship
controls over outsourced operations management.
and is accountable for the mitigation
2. Contractual assurances for security responsibilities, controls, and reporting.
of risks involved with the use of
third-party service providers. 3. Nondisclosure agreements regarding the institution’s systems and data.
Review the due diligence involved, 4. Independent review of the third party’s security through appropriate reports
security controls to mitigate risk, from audits and tests.
and monitoring capabilities over the 5. Coordination of incident response policies and contractual notification
institution’s third parties. Review the requirements.
institution’s policies, standards, and 6. Verification that information and cybersecurity risks are appropriately
procedures related to the use of the identified, measured, mitigated, monitored, and reported.
following: 7. Due Diligence.
a. Third-party service providers that a. Conduct appropriate due diligence in selecting and monitoring third-party
facilitate operational activities service providers.
(e.g., core processing, mobile b. Ensure third parties use suitable information security controls when
financial services, cloud storage providing services to the institution.
and computing, and managed c. Monitor third-party service providers to confirm that they are
security services). maintaining appropriate controls when indicated by the institution’s risk
b. Due diligence in research and assessment.
selection of third-party service d. Require third-party service providers by contract to implement
providers. appropriate measures designed to meet the Information Security
c. Contractual assurances from Standards, if customer information is stored, transmitted, processed, or
third-party service providers for disposed.
security responsibilities, controls, e. Evaluate information security considerations of potential third-party
and reporting. service providers during initial due diligence.
d. Nondisclosure agreements with See IT Handbook’s “Outsourcing Technology Services” booklet.
third-party service providers with 8. Controls. Verify third-party service providers implement and maintain
access to the institution’s systems controls sufficient to appropriately mitigate risks by contract that:
and data (including before, a. Include minimum control and reporting standards.
during, and following termination b. Provide for the right to require changes to standards as external and
of the contract). internal environments change.
e. Independent review of the third- c. Specify that the institution or an independent auditor has access to
party service provider’s security the service provider to perform evaluations of the service provider’s
through appropriate reports from performance against the Information Security Standards.
audits and tests. See “Third-Party Reviews of Technology Service Providers” section of the IT
f. Coordination of incident Handbook’s “Audit” booklet.
response policies and contractual 9. Exposure to third party cyber risk.
notification requirements. a. Determine whether cyber risks are identified, measured, mitigated,
g. Verification that information monitored, and reported by third parties.
and cybersecurity risks are b. Incorporate an assessment of third-party risks to build a comprehensive
appropriately identified, understanding of the institution’s exposure to third-party cyber threats
measured, mitigated, monitored, within the bank’s information security assessment.
and reported.
32. If the institution outsources cloud II.C.20(a) Outsourced Cloud Computing (p. 43). Management may need to
computing or storage to a third-party revise information security policies, standards, and procedures to incorporate the
service provider, refer to the FFIEC’s activities related to a cloud computing service provider.
“Outsourced Cloud Computing”
statement. See FFIEC’s “Outsourced Cloud Computing” statement (July2012).
33. If the institution outsources the II.C.20(b) Managed Security Service Providers (p. 43). Management may rely
management of security services to a on third parties to provide security services, but remains responsible for ensuring
third-party service provider, refer to the security of the institution’s systems and information by oversight of the
the information available in appendix effectiveness of the services.
D of the IT Handbook’s “Outsourcing
Technology Services” booklet and the See Appendix D of the IT Handbook’s “Outsourcing Technology Services” booklet.
related examination procedures.
34. Determine whether management II.C.21 Business Continuity Considerations (p. 43). Management should:
effectively manages the following 1. Train personnel regarding their security roles during a disaster.
information security considerations 2. Update technologies and plans for backup sites and communications
related to business continuity
networks.
planning. Review management’s
ability to do the following: 3. Integrate security within the testing of the business continuity plan.
a. Identify personnel with key Business Continuity Plan should:
information security roles 1. Include steps that explicitly address information security incident response
during a disaster and training of and resilience.
personnel in those roles. 2. Incorporate information security event scenarios identified by the institution
b. Define information security needs as part of the resilience testing.
for backup sites and alternate See IT Handbook’s “Business Continuity Planning” booklet
communication networks.
c. Develop policies that address the
concepts of information security
incident response and resilience
and test information security
incident scenarios.
See the FFIEC’s “Outsourced Cloud Computing” statement.

3
Refer to the IT Handbook’s “Outsourcing Technology Services” booklet for the MSSP Examination Procedures.
4
35. Determine whether management II.C.22 Log Management (p. 44). Management should:
has an effective log management 1. Have effective log retention policies that address the significance of
process that involves a central logging maintaining logs for incident response and analysis needs.
repository, timely transmission of
2. Strictly control and monitor access to log files whether on the host or in a
log files, and effective log analysis.
Review whether management has the centralized logging repository.
following: 3. Review logging practices periodically by an independent party to ensure
appropriate log management.
a. Log retention policies that meet
4. Develop processes to collect, aggregate, analyze, and correlate security
incident response and analysis
information.
needs.
5. Have policies that define retention periods for security and operational logs.
b. Processes for the security
6. Monitor event logs for anomalies and relating that information with other
and integrity of log files (e.g.,
sources of information to broaden the understanding of trends, reaction to
encryption of log files, adequate
threats, and improving reports to management and the board.
storage capacity, secure backup
7. Security of log files integrity:
and disposal of logs, logging
a. Encrypt log files that contain sensitive data or that are transmitted over the
to a separate computer, use of
network.
read-only media, controlled log
b. Ensure adequate storage capacity to avoid gaps in data gathering.
parameters, and restricted access
c. Secure backup and disposal of log files.
to log files).
d. Log data to:
c. Independent review of logging
i. A separate, isolated computer.
practices.
ii. Read-only media.
d. Processes to effectively collect,
e. Set logging parameters to disallow any modification to previously written
aggregate, analyze, and correlate
data.
security event information from
f. Restrict access to log files to a limited number of authorized users.
discrete systems and applications.
Security Information and Event Management (SIEM) systems gather
information from:
1. Network and security devices and systems, including intrusion detection and
prevention systems, DLP solutions, and firewalls.
2. Identity and access management applications.
3. Vulnerability management and policy compliance tools.
4. Operating system, database, and application logs.
5. Physical and environmental monitoring systems.
6. External threat data.
Objective 7: Determine whether management has effective risk monitoring and reporting processes.
1. Determine whether the institution II.D Risk Monitoring and Reporting (p.45)
has risk monitoring and reporting
processes that address changing Risk monitoring should address changing threat conditions, and thus changes to
threat conditions in both the the bank’s inherent risk profile, in the bank and the financial industry from:
institution and the greater financial 1. Evolving threats: capabilities and intentions, vulnerabilities exploited,
industry. Determine whether these 2. New vulnerabilities in software and systems occurring after modification or
processes address information update.
security events faced by the 3. External requirements and new third-party service providers.
institution, the effectiveness of
management’s response, and the Risk reporting should:
institution’s resilience to those events. 1. Describe any information security events that the institution faces and the
Review whether the reporting process effectiveness of management’s response and resilience to those events.
includes a method of disseminating 2. Have content prompting action, if necessary, in a timely manner to maintain
those reports to appropriate members appropriate levels of risk.
of management. 3. Have a method to disseminate risk reports to appropriate management staff.
2. Determine whether the risk

monitoring and reporting process is
regular and prompts action, when
necessary, in a timely manner.
3. Determine whether program

monitoring and reporting instigate
appropriate changes that are effective
in maintaining an acceptable level of
risk.
1. Determine whether management II.D.1 Metrics (p.45). Management should:

develops and effectively uses metrics 1. Recognize that mature and effective information security programs use
as part of the risk monitoring metrics to improve program effectiveness and efficiency.
and reporting processes for the
2. Develop metrics that demonstrate the extent to which the security program is
Review whether management does implemented and whether the program is effective, such as:
the following: a. Increasing control and driving improvements to the security process
b. Measuring conformance to standards and procedures used to implement
a. Uses metrics that are timely,
policies.
comprehensive, and actionable
c. Quantifying and reporting risks of the information security program.
to improve the program’s
3. Gather metrics from external sources and internal data that are
effectiveness and efficiency.
comprehensive, and commensurate with the complexity of the institution’s
b. Develops metrics that
operations.
demonstrate the extent to which
4. Measure security policy implementation, conformance with the information
the information security program
security program, adequacy of security services delivery, and impact of
is implemented and whether the
security events on business processes.
program is effective.
5. Metric and Monitoring Reports
c. Uses metrics to measure security
a. Incorporate metric and monitoring reports into customized reports
policy implementation, the
tailored for different audiences and stakeholders,
adequacy of security services
b. Feed into ITRM reporting.
delivery, and the impact of
security events on business
processes.
d. Establishes metrics to measure
conformance to the standards
and procedures that are used to
implement policies.
e. Uses metrics to quantify and
report risks in the information
security program.
Objective 8: Determine whether management has security operations that encompass necessary security-related functions, are guided
by defined processes, are integrated with lines of business ad activities outsourced to third-party service providers, and have adequate
resources (e.g., staff and technology).
1. Determine whether the institution’s III. Security Operations (p.46)

security operations activities include
the following: Activities. Security operations activities can include:
a. Security software and device 1. Security software and device management (e.g., maintaining the signatures
management (e.g., maintaining on signature-based devices and firewall rules).
the signatures on signature-based 2. Forensics (e.g., analysis of potentially compromised systems).
devices and firewall rules). 3. Threat identification and assessment.
b. Forensics (e.g., analysis of 4. Vulnerability identification (e.g., operation or supervision of vulnerability
potentially compromised scans, self-assessments, penetration tests, and analysis of audit results).
systems). 5. Vulnerability cataloging and remediation tracking.
c. Vulnerability identification 6. Physical security management (e.g., CCTV, guards, and badge systems).
(e.g., operation or supervision 7. Law enforcement interface (e.g., data retention and lawful intercepts).
of vulnerability scans, self- 8. Third-party integration (e.g., managed security services and incident
assessments, penetration tests, detection services).
and analysis of audit results). 9. Network, host, and application activity monitoring.
d. Vulnerability cataloging and 10. Analysis of threat intelligence from external sources.
remediation tracking. 11. Engagement with information sharing groups.
e. Physical security management 12. Incident detection and management.
(e.g., CCTV, guards, and badge 13. Enforcement of access controls.
systems).
f. Law enforcement interface
(e.g., data retention and lawful
intercepts).
g. Third-party integration (e.g.,
managed security services and
incident detection services).
h. Monitoring of network, host, and
application activity.
i. Threat identification and
assessment.
j. Incident detection and
management.
k. Enforcement of access controls.
l. Back-office operations and
transaction processing.
m. Customer service.
n. Systems development and
support.
o. Internal controls and processes.
p. Capacity planning.
2. Determine whether management Management should:

establishes defined processes and 1. Establish defined processes and appropriate governance to facilitate the
appropriate governance to facilitate performance of security operations.
the performance of security
2. Have policies addressing:
operations. Determine whether
management coordinates security a. the timing and extent of the security operations activities,
operations activities with the b. reporting,
institution’s lines of business and with c. escalation triggers, and
the institution’s third-party service d. response actions.
providers. 3. Coordinate security operation activities with the institution’s lines of business
and with third-party service provider to maintain a sufficient security
operation capability across environment.
4. Support sufficient technology and staff to gain the necessary scope and depth
to support continual incident detection and response activities, which may
include use of third parties, in whole or part.
See IT Handbook’s “Outsourcing Technology Services” booklet.
Organization. Security operations may be:
1. Centralized in a security operations center,
2. Distributed within the information security department and business lines,
or
3. Outsourced, in whole or in part, to a third party.
3. Determine whether management Threat identification, resources, and assessment:

has effective threat identification and 1. Identification of threats:
assessment processes, including the a. Sources, capabilities, and objectives.
following:
b. Examples of threat sources (NIST)
a. Maintaining procedures for i. Hostile cyber or physical attacks.
obtaining, monitoring, assessing, ii. Human errors of omission or commission.
and responding to evolving threat iii. Structural failures of organization-controlled resources (e.g.,
and vulnerability information. hardware, software, and environmental controls).
b. Identifying and assessing threats iv. Natural and man-made disasters, accidents, and failures beyond the
(e.g., threat information is often control of the organization.
ad hoc, although some providers
NIST SP 800-30, revision 1, “Information Security: Guide for Conducting Risk
present threat information
Assessments,” September 2012.
within a defined framework that
readily lends itself to analytical 2. Threat information and resources.
operations). a. Government (e.g., US-CERT),
c. Using tools to assist in the analysis b. Information-sharing organizations (e.g., FS-ISAC),
of vulnerabilities (e.g., design of c. Industry sources,
system, operation of the system, d. Institution, and
security procedures, business line e. Third parties: organizations that specifically track and report on threats,
controls, and implementation of third-party reports of past activity, reports compiling incidents and
the system and controls). knowledge from organizations, domestic US and international.
d. Using threat knowledge to drive 3. Types of information to support a threat assessment:
risk assessment and response. a. Incident data (ex., security provider reports).
e. Designing policies to allow b. Attack data from sources (ex., FS-ISAC and managed security service
immediate and consequential providers).
threats to be dealt with c. Threat data (ex., free or fee-based reports)
expeditiously. 4. Threat assessment factors may include:
f. Developing appropriate processes a. Description,
to evaluate and respond to b. Context for operation,
vulnerability information from c. Capabilities and intent, and
external groups or individuals. d. Benefits and negative consequences associated with an attack, from the
threat-source perspective.
Vulnerability Occurrence, Identification, Analysis

1. Occurrence. System design, system operation, security procedures, business
line controls, and implementation of the system and controls.
2. Identification. Self-assessments, audits, scans, penetration tests, reviews of
SIEM reports, and reports from external individuals, or groups.
3. Tools for analyzing vulnerabilities in a layered security environment: Attack
trees, event trees, and kill chains.
4. Determine whether management has III.B Threat Monitoring (p. 48). Management should:
effective threat monitoring processes, 1. Establish the responsibility and authority of security personnel and system
including the following: administrators for threat monitoring.
a. Defining threat monitoring 2. Review and approve the threat monitoring tools used and the conditions for
policies that provide for both use.
continual and ad hoc monitoring 3. Have threat monitoring policies providing:
of communications and systems, a. Continual and ad hoc monitoring of threat intelligence communications
effective incident detection and systems,
and response, and the use of b. Effective incident detection and response, and
monitoring reports in subsequent c. Use of monitoring reports in subsequent legal procedures.
legal proceedings.
Threat monitoring should address:
b. Establishing responsibility
and accountability for 1. Indicators of vulnerabilities, attacks, compromised systems, and suspicious
security personnel and system users, (e.g., users not complying with or seeking to evade security policies).
administrators for monitoring. 2. Incoming and outgoing network traffic to identify malicious activity and data
c. Appropriately reviewing and exfiltration.
providing approval of the 3. Processes established and documented to independently monitor
monitoring tools used. administrators and other users with higher privileges.
d. Monitoring of indicators,
including vulnerabilities, attacks,
compromised systems, and
suspicious users.
e. Monitoring both incoming
and outgoing network traffic to
identify malicious activity and
data exfiltration.
f. Establishing and documenting a
process to independently monitor
administrators and other users
with higher privileges.
5. Determine whether management III.C Incident Identification and Assessment (p.48). Management should:
has effective incident identification 1. Have a process for identifying indicators of compromise, and
and assessment processes to do the 2. Rapidly report indicators for investigation.
following:
a. Investigation may require additional information from outside and inside
a. Identify indicators of the institution, such as a forensic review.
compromise. b. Information developed in the analysis may be useful to guide response
b. Analyze the event associated with activities.
the indicators. c. The report should instigate an analysis that seeks to confirm whether a
c. Classify the event. compromise took place and how that compromise should be classified.
d. Enable the use of response teams d. Analysis should result in a classification of the event, implementation of
and responses depending on the escalation procedures, and reporting.
type of event. e. Classification of a compromise may require information on the specific
e. Escalate the event consistent with hosts affected, data lost, and business processes affected
the classification. 3. Perform due diligence to identify external assistance in advance of incidents
f. Report internally and externally to ensure available resources.
as appropriate. 4. Consider whether to incorporate information sharing through organizations,
g. Identify personnel empowered to such as FS-ISAC into bank’s strategy to protect the institution and benefit the
declare an incident. industry at large by enabling other institutions to better assess and respond to
h. Develop procedures to test the current attacks.
incident escalation, response, and 5. Determine whether the institution’s or its managed security service provider’s
reporting processes. analysts are sufficiently trained to appropriately analyze network, host,
and application activity and to use the monitoring and analysis tools made
available to them.
6. Assure security analysts coordinate and collaborate with bank staff with
knowledge and authority for specific types of malicious activity, such as
fraud.
7. Scale escalation, response, and reporting to be commensurate with the level
of risk severity.
Incident identification Processes - Indicators
1. External. Ex., contact with customers, law enforcement, card organizations
(e.g., credit or payment cards), other financial institutions, media.
2. Internal. Ex. internal users contact the help desk, IT operations follows up on
anomalies, or security operations follows up on anomalies identified through
security devices and network and systems activity.
3. Hunt teams and analyst active search. “Hunt teams,” or dedicated analysts
actively search for indicators of compromise.
4. Technology.
a. Anomalies in host state, host activity, and network traffic.
b. Examples:
i. Unexpected changes in processes, changes to files, packet source or
destination, protocols, ports, encryption, log-ins, and packet content.
ii. Alerts triggered by black lists in anti-virus and network monitoring
products.
Intrusion identification systems and tools:

1. Threat intelligence data feeds, including automated and standardized
information sharing processes (e.g., Structured Threat Information
eXpression, (STIX), Trusted Automated eXchange of Indicator Information
(TAXII))
2. Intrusion detection and prevention systems for networks and hosts.
3. End-point visibility tools (tools that can identify the function of end points
and which end points contain or have access to sensitive information).
4. DLP tools.
5. Log correlation and analysis tools.
6. File integrity tools.
7. Malware detection tools.
8. Network behavior analysis systems.
9. “Big data” tools and analytics that aggregate and allow pre-formed and ad hoc
analysis.
Indicator Analysis should be guided by:
1. Policies and procedures:
a. Addressing who is empowered to declare an incident.
b. Guiding responses to incidents.
c. Developing procedures to test the incident escalation, response, and
reporting processes.
2. Classification policies that clearly enable timely classification of incidents by
level of severity, enabling the use of response teams and responses depending
on the type and severity of events.
3. Escalation policies addressing when:
i. Different personnel within the bank will be contacted, and their
individual responsibilities in incident analysis and response.
ii. To request or obtain external assistance, from third parties, and/or the
federal government.
4. Reporting policies addressing internal and external reporting, including
coordination with third parties and reporting to external organizations (e.g.,
FS-ISAC).
6. Determine whether management has III.D Incident Response (p. 50). Management should:
effective incident response processes, 1. Have an incident response program
including the following: 2. Prepare for potential incidents by developing an incident response plan
a. Protocols defined in the incident that is comprehensive, coordinated, and integrated with existing institution
response policy to declare and policies, procedures, and training.
respond to an incident once 3. Periodically test the incident response plant through different test types,
identified. including scenario planning and tabletop testing, and perform the tests with
b. Procedures to minimize damage appropriate internal and external parties.
through the containment of the 4. Define the policies and procedures guiding the response; assigning
incident, restoration of systems, responsibilities to individuals; providing appropriate training; formalizing
preservation of data and evidence, information flows; and selecting, installing, and understanding the tools used
and notification, as appropriate, to in the response effort.
customers and others as needed. 5. Define thresholds for reporting significant security incidents,
c. Appropriate balance of adequate 6. Consider developing processes for notifying regulators of incidents that may
people and technologies in the affect the bank’s operations, reputation, or sensitive customer information, or
response. the financial system.
d. A plan that is comprehensive, 7. Require third-party service providers to follow the institution’s policies and
coordinated, integrated, maintain the confidentiality of data, if outsourcing security incident response
and periodically tested with team (SIRT) functions.
appropriate internal and external 8. Consider the most applicable tests for its IT environment to assess the
parties. adequacy of preperation, and may participate with outside entities that
e. Policies and procedures to provide testing activities (e.g., FS-ISAC).
guide the response, assigning 9. Periodically review intrusion response to identify improvements, and
responsibilities to individuals; implement improvements through changes in policy, standards, procedures,
providing appropriate training; training, and practices.
formalizing information flows; See “Interagency Guidance on Response Programs for Unauthorized Access to
and selecting, installing, and Customer Information and Customer Notice,” supplementing the Information
understanding the tools used in Security Standards.
the response effort.
Incident Response Program should:
f. Thresholds for reporting
significant security incidents and 1. Have defined protocols to declare and respond to an identified incident.
processes to notify, as appropriate, 2. Address, as appropriate:
the institution’s regulators of a. Containing the incident,
those incidents that may affect the b. Coordinating with law enforcement and third parties,
institution or the financial system. c. Restoring systems,
g. Assignment of responsibilities, d. Preserving data and evidence,
training, and testing. e. Providing assistance to customers, and
h. Containment strategies. f. Facilitating operational resilience of the institution.
i. Restoration and follow-up 3. Consider the role to be played by external relationships existing before the
strategies. incident with law enforcement, incident response consultants and attorneys,
information-sharing entities (e.g., FSISAC), etc.
4. Address primary considerations for incident response:
a. How to balance concerns regarding confidentiality, integrity (which may
involve legal and liability considerations) as a key driver of a containment
strategy,
b. Whether some systems must be disconnected or shut down at the first sign
of intrusion, while others must be left on line.
c. When and under what circumstances to invoke the incident response
activities, and how to ensure that the proper personnel are notified and
available.
d. When to involve outside experts and how to ensure the proper expertise
will be available, when needed, for containment and restoration.
e. Protocols to define when and under what circumstances to notify and

involve regulators, customers, and law enforcement, including names and
contact information for each group.
f. Which personnel have authority to perform specific actions in
the containment and restoration of the system, including internal
communications strategy, commitment of personnel, and procedures that
escalate involvement and decisions within the organization.
g. How, when, and what to communicate outside of the institution, including
law enforcement, regulatory agencies, information-sharing organizations,
customers, third-party service providers, potential victims, etc.
h. How to document and maintain the evidence, the decisions made, and the
actions taken.
i. What criteria must be met before returning compromised services,
equipment, and software to the network.
j. How to learn from the intrusion and use lessons learned to improve
security.
k. How and when to prepare and file a Suspicious Activities Report (SAR).
l. Assignment of responsibilities, training, and testing.
Containment strategies may vary, but typically include:
1. Isolation of compromised systems or enhanced monitoring of intruder
activities.
2. Search for additional compromised systems.
3. Collection and preservation of evidence.
4. Communication with affected parties and often the primary regulator,
information-sharing organizations (e.g., FS-ISAC), or law enforcement.
Restoration and follow-up strategies should address:
1. Elimination of an intruder’s means of access.
2. Restoration of systems, programs, and data to a known good state.
3. Initiation of customer notification and assistance activities consistent with
laws, regulations, and interagency guidance.
4. Monitoring to detect similar or further incidents.
Security incident response team (SIRT)
• Some institutions formalize a response program by creating a security
incident response team (SIRT), others may outsource some or all SIRT
functions (e.g., forensic examinations).
• Tasks. Performing, coordinating, and supporting responses to security
incidents and intrusions.
• Membership. Individuals with a wide range of backgrounds and expertise
from different areas within the institution, including management, legal, and
public relations, and IT staff.
Objective 9: Determine whether management has an effective information security program.
1. Determine whether the information IV. Information Security Program (p.52) should be periodically reviewed to
security program is subject to ensure continual improvement on the program’s effectiveness. Review should:
periodic review and whether 1. Address the program in the context of the environment in which the program
management provides for continual now operates, within the bank and externally.
improvement in the program’s
2. Identify lessons learned from experience, audit finding, and other indicators of
effectiveness. Verify whether that
opportunities for improvement, and the program changed as appropriate.
review does the following:
a. Addresses the program in its
current environment.
b. Demonstrates that lessons learned
from experience, audit findings,
and other opportunities for
improvement are identified and
applied
Objective 10: Determine whether assurance activities provide sufficient confidence that the security program is operating as expected
and reaching intended goals.
1. Review whether management IV.A Assurance and Testing (p. 53)

ascertains assurance through the
following: Assurance targets two parts of the bank’s IT system:
a. Testing and evaluations through a 1. Design: Focus on risk decisions that change the security controls, and
combination of self-assessments, typically flaws corrected by redesign.
penetration tests, vulnerability 2. Operation: Focus on operation of the controls, and typically flaws corrected
assessments, and audits with through a compliance program.
appropriate coverage, depth, and The bank should have a documented testing and evaluation plan that:
independence. 1. Addresses:
b. Alignment of personnel skills and a. Integration of security controls,
program needs. b. Level of assurance desired, and
c. Reporting that is timely, complete, c. Strategies and activities performed.
transparent, and relevant to 2. Identifies:
management decisions. a. Specific components of the system to address,
2. Determine whether management b. Methods by which the components are to be addressed,
considers the following key testing c. Timing and frequency of the tests and evaluations, and
factors when developing and
d. Criteria used to ascertain whether the test and evaluation results are
implementing independent tests:
acceptable and provide assurance.
a. Scope.
b. Personnel. See Information Security Standards, section III.C.3, Incident Identification and
c. Notifications. Assessment, requiring each financial institution to test key controls, systems, and
procedures of its information security program using independent third parties or
d. Confidentiality, integrity, and
staff independent of those that develop or maintain the program.
availability of the institution’s
information. 2. Identifies:
e. Confidentiality of test plans and a. Specific components of the system to address,
data. b. Methods by which the components are to be addressed,
f. Frequency c. Timing and frequency of the tests and evaluations, and
d. Criteria used to ascertain whether the test and evaluation results are
acceptable and provide assurance.
See Information Security Standards, section III.C.3, Incident Identification and
Assessment, requiring each financial institution to test key controls, systems, and
procedures of its information security program using independent third parties or
staff independent of those that develop or maintain the program.
2. Determine whether management IV.A.1 Key Testing Factors (p.53). Management should consider:
considers the following key testing 1. Scope. The tests and methods utilized, in the aggregate, should be sufficient
factors when developing and to validate the effectiveness of the security process in identifying and
implementing independent tests:
appropriately controlling risk from information security-related events.
a. Scope. 2. Personnel. Review qualifications of testing personnel to verify testers’
b. Personnel. capabilities are adequate to support the test objectives.
c. Notifications. 3. Notifications. Consider how and who to notify on bank staff about the
d. Confidentiality, integrity, and timing and nature of tests, while balancing the need to protect bank systems
availability of the institution’s and the potential for disruptive false alarms against the need to test personnel
information. reactions to unexpected activities.
e. Confidentiality of test plans and 4. Confidentiality, integrity, and availability.
data. a. Carefully control information security tests to limit the risk to
f. Frequency. confidentiality, integrity, and system availability.
b. Use appropriate safeguards to protect sensitive customer information
uncovered during testing.
c. Ensure employee and contract personnel performing tests or having
access to results have passed appropriate background checks, and contract
personnel are appropriately bonded.
d. Have personnel who perform tests maintain logs of testing actions to assist
if the systems react unexpectedly because certain tests may pose more risk
to system availability than others.
5. Confidentiality of test plans and data.
a. Carefully limit the distribution of testing information because knowledge
of test planning and results may facilitate a security breach.
b. Restrict test plans and data only to those individuals involved in the
testing.
c. Make results available in a usable form only to those responsible for
following up on tests.
d. Require contractors to sign nondisclosure agreements and to return
information obtained during testing.
6. Frequency.
a. Use bank’s ITRM process to determine the frequency of independent
testing.
b. Consider the factors that may increase testing frequency:
i. Changes to network configurations,
ii. Changes to or additions of systems and applications,
iii. Significant changes in potential attacker profiles and techniques, and
iv. results of other testing.
v. Example: A testing process for security and usability over the life cycle
of testing (during development, before placing a new or modified
system into production, and periodic testing of the production system
or application).
Proxy testing? See p. 54 for supervisory concerns, appropriate use of proxy testing.
3. Determine whether management IV.A.2(a) Self-Assessments (p. 54)

uses the following types of tests 1. Should be:
and evaluations to determine the a. Performed by the organizational unit being assessed.
effectiveness of the information
b. Periodic, but frequency is determined by the risk management process and
security program. Verify whether
management ensures the following the level of assurance needed.
are done: 2. May:
a. Provide information related to perceived changes in the level of risk and
a. Periodic self-assessments
effectiveness of controls
performed by the organizational
b. Result in a self-assessment that is informative to the overall test and
unit being assessed.
evaluation process, and can be used by management to help strengthen the
b. Penetration tests that subject a
organizational unit’s information security.
system to real-world attacks and
3. Are affected by:
identify weaknesses.
a. Breadth and depth of the assessor’s knowledge,
c. Vulnerability assessments that
b. Completeness and reliability of information used to complete the
define, identify, and classify
assessment, and
the security holes found in the
c. Assessor’s biases.
system.
d. Audits performed by independent IV.A.2(b) Penetration Tests (p. 55). Management should determine:
internal departments or third 1. Level and types of tests employed to ensure effective and comprehensive
parties. coverage.
2. Level of independence required of the test.
3. Frequency and scope of a penetration test should be a function of the level of
assurance needed by the institution and determined by the risk assessment
process.
4. Implementation. Test can be performed internally by independent groups,
internally by the organizational unit, or by an independent third party
IV.A.2(c) Vulnerability Assessments (p. 55). Management should:
1. Give prime consideration to security over the use of credentials in the scan if
host agents are required.
2. Determine frequency of vulnerability assessments by the risk management
process.
IV.A.2(d) Audits (p. 56) should:
1. Review every aspect of the information security program, the environment in
which the program runs, and outputs of the program.
2. Assess the reasonableness and appropriateness of, and compliance with,
policies, standards, and procedures;
3. Report on information security activity and control deficiencies to decision
makers;
4. Identify root causes and recommendations to address deficiencies; and
5. Test the effectiveness of controls within the program.
6. Be performed by independent internal departments or third parties typically.
7. Internal audit should track the results and the remediation of control
deficiencies reported in audits and additional technical reviews, such as
penetration tests and vulnerability assessments.
Refer to the IT Handbook’s “Audit” booklet for more information.
4. Determine whether management IV.A.3 Independence of Tests and Audits (p. 56)
uses independent organizations to
test aspects of its information security To be considered independent:
programs. 1. Testing personnel should not be responsible for:
a. Design, installation, maintenance, and operation of the tested system, or
b. Policies and procedures that guide its operation.
2. Reports generated from the tests should be prepared by individuals who
similarly are independent.
5. Determine whether management IV.A.4. Assurance Reporting: (p.56). Management should:

uses reporting of the results of 1. Make decisions supported by reporting of self-assessments, penetration tests,
self-assessments, penetration tests, vulnerability assessments, and audits.
vulnerability assessments, and audits
2. Support a range of IT risk management activities, including the prioritization
to support management decision
making. and funding of resource allocations and improvement to existing information
security policies and procedures.
3. Assurance Reports should be timely, complete, transparent, and relevant to
management decisions, and:
a. Prioritize risk and findings in the order of importance,
b. Suggest options for remediation, and highlight repeat issues.
c. Address root causes.
d. Be submitted to individuals with authority and responsibility to act on
the reports, those accountable for the outcomes, and those responsible for
advising or influencing risk decisions.
e. Trigger appropriate, timely, and reliable escalation and response
procedures.
f. Include summary reports made available to the board, as appropriate.
6. Determine whether the annual

information security report is timely
and contains adequate information.
Objective 11: Discuss correction action and communicate findings.
1. Review preliminary conclusions with

the examiner-in-charge regarding:
a. Violations of laws and regulations.
b. Significant issues warranting
inclusion as matters requiring
attention or recommendations in
the report of examination.
c. Proposed Uniform Rating System
for Information Technology
management component rating
and the potential impact of
the examiner’s conclusions on
composite or other component IT
ratings.
d. Potential impact of the examiner’s
conclusions on the institution’s
risk assessment.
2. Discuss findings with management

and obtain proposed corrective action
for significant deficiencies.
3. Document conclusions in a
memorandum to the examiner-in-
charge that provides report-ready
comments for all relevant sections
of the report of examination and
guidance to future examiners.
4. Organize work papers to ensure clear

support for significant findings by
examination objective.

IT Examination Toolkit

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

IT Examination Toolkit

Transféré par

Droits d'auteur :

Formats disponibles

Guide to FFIEC IT Examination Handbook:

About the American Bankers Association

© 2017 American Bankers Association, Washington, D.C.

How to Use This Summary 2

Index: Third Parties 7

Exam Tool: Review of Exam Procedure and Bank Response 8

Summary: Significant Revisions to

How to Use This Summary

i. Text in “Examinations Procedures” column (LEFT) is copied from

ii. Text in “Bank Procedures” column (RIGHT) is a copy and reformatting of

Web link to FBI Alert referenced in 2016

Information Security Program Management

Inventory and Classification of Assets

User Security Controls

Change Management Within the IT Environment

Customer Remote Access to Financial Services.

Threat Identification and Assessment

Incident Identification and Assessment

Assurance and Testing:

Index: Third Parties

Remote access by third parties 39

Incident response planning 41

Oversight of third-party service

You can find third parties Threat identification resources 53

Assurance & testing:

Examination Procedures Bank Procedures

1. Review past reports for outstanding

2. Review management’s response to

Examination Procedures Bank Procedures

3. Interview management and review

Examination Procedures Bank Procedures

4. Determine the complexity of the

Examination Procedures Bank Procedures

Examination Procedures Bank Procedures

Examination Procedures Bank Procedures

5. Determine whether management Management Responsibilities

Examination Procedures Bank Procedures

6. Determine whether management has Management of Information Security Officer.

9. Review the roles and responsibilities

Examination Procedures Bank Procedures

See IT Handbook’s “Management” booklet.

Examination Procedures Bank Procedures

1. Determine whether the institution Management should:

Examination Procedures Bank Procedures

3. If the institution outsources activities Third-Party Management.

See IT Handbook’s “Outsourcing Technology Services” booklet, and

Examination Procedures Bank Procedures

Examination Procedures Bank Procedures

See “Security Operations” section of this booklet (p. 46)

Examination Procedures Bank Procedures

Examination Procedures Bank Procedures

Examination Procedures Bank Procedures

1. Determine whether policies, II.C Risk Mitigation (p. 11) should:

Examination Procedures Bank Procedures

2. Determine whether the information

3. Determine whether the institution II.C.2 Technology Design (p, 12)

4. Determine whether management

Examination Procedures Bank Procedures

Controls may be categorized according to timing and nature.

Examination Procedures Bank Procedures

References: The institution can reference one or more recognized technology

Examination Procedures Bank Procedures

Examination Procedures Bank Procedures

7. Determine whether management II.C.6 Mitigating Interconnectivity Risk (p. 14)